fix JT name

.ansible-lint

@@ -1,19 +1,12 @@
 ---
 profile: production
-offline: true
+offline: false
 
 skip_list:
   - "galaxy[no-changelog]"
 
-warn_list:
-  # seems to be a bug, see https://github.com/ansible/ansible-lint/issues/4172
-  - "fqcn[canonical]"
-  # @matferna: really not sure why lint thinks it can't find jmespath, it is installed and functional
-  - "jinja[invalid]"
-
 exclude_paths:
   # would be better to move the roles here to the top-level roles directory
   - collections/ansible_collections/demo/compliance/roles/
   - roles/redhatofficial.*
   - .github/
-  - execution_environments/ee_contexts/

.github/workflows/README.md

@@ -1,25 +0,0 @@
-# GitHub Actions
-## Background
-We want to make attempts to run our integration tests in the same manner wether using GitHub actions or on a developers's machine locally. For this reason, the tests are curated to run using container images. As of this writing, two images exist which we would like to test against:
-  - quay.io/ansible-product-demos/apd-ee-24:latest
-  - quay.io/ansible-product-demos/apd-ee-25:latest
-
-These images are built given the structure defined in their respective EE [definitions][../execution_environments]. Because they differ (mainly due to their python versions), each gets some special handling.
-
-## Troubleshooting GitHub Actions
-
-### Interactive
-It is likely the most straight-forward approach to interactively debug issues. The following podman command can be run from the project root directory to replicate the GitHub action:
-```
-podman run \
-           --user root  \
-           -v $(pwd):/runner:Z \
-           -it \
-           <image> \
-           /bin/bash
-```
-`<image>` is one of `quay.io/ansible-product-demos/apd-ee-25:latest`, `quay.io/ansible-product-demos/apd-ee-24:latest`
-It is not exact because GitHub seems to run closer to a sidecar container paradigm, and uses docker instead of podman, but hopefully it's close enough.
-
-For the 24 EE, the python interpreriter verions is set for our pre-commit script like so: `USE_PYTHON=python3.9 ./.github/workflows/run-pc.sh`
-The 25 EE is similary run but without the need for this variable: `./.github/workflows/run-pc.sh`

.github/workflows/pre-commit.yml

@@ -4,23 +4,16 @@ on:
  - push
  - pull_request_target
 
-jobs:
-  pre-commit-25:
-    container:
-      image: quay.io/ansible-product-demos/apd-ee-25
-      options: --user root
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - run: ./.github/workflows/run-pc.sh
-      shell: bash
-  pre-commit-24:
-    container:
-      image: quay.io/ansible-product-demos/apd-ee-24
-      options: --user root
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - run: USE_PYTHON=python3.9 ./.github/workflows/run-pc.sh
-      shell: bash
+env:
+  ANSIBLE_GALAXY_SERVER_AH_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_AH_TOKEN }}
 
+jobs:
+  pre-commit:
+    name: pre-commit
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-python@v5
+    - uses: pre-commit/action@v3.0.1
+
+...

.github/workflows/run-pc.sh

@@ -1,24 +0,0 @@
-#!/bin/bash -x
-
-dnf install git-lfs -y
-
-PYTHON_VARIANT="${USE_PYTHON:-python3.11}"
-PATH="$PATH:$HOME/.local/bin"
-
-# intsall pip
-eval "${PYTHON_VARIANT} -m pip install --user --upgrade pip"
-
-# try to fix 2.4 incompatibility 
-eval "${PYTHON_VARIANT} -m pip install --user --upgrade setuptools wheel twine check-wheel-contents"
-
-# intsall pre-commit
-eval "${PYTHON_VARIANT} -m pip install --user pre-commit"
-
-# view pip packages
-eval "${PYTHON_VARIANT} -m pip freeze --local"
-
-# fix permissions on directory
-git config --global --add safe.directory $(pwd)
-
-# run pre-commit
-pre-commit run --config $(pwd)/.pre-commit-gh.yml --show-diff-on-failure --color=always 

.gitignore

@@ -10,7 +10,3 @@ choose_demo_example_aws.yml
 roles/*
 !roles/requirements.yml
 .deployment_id
-.cache/
-.ansible/
-**/tmp/
-execution_environments/context/

.pre-commit-config.yaml

@@ -3,6 +3,9 @@ repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.4.0
     hooks:
+      - id: end-of-file-fixer
+        exclude: rhel[89]STIG/.*$
+
       - id: trailing-whitespace
         exclude: rhel[89]STIG/.*$
 
@@ -14,12 +17,13 @@ repos:
       - id: check-json
       - id: check-symlinks
 
-  - repo: local
+  - repo: https://github.com/ansible/ansible-lint.git
+    # get latest release tag from https://github.com/ansible/ansible-lint/releases/
+    rev: v6.20.3
     hooks:
       - id: ansible-lint
-        name: ansible-navigator lint --eei quay.io/ansible-product-demos/apd-ee-25:latest --mode stdout
-        language: python
-        entry: bash -c "ansible-navigator lint --eei quay.io/ansible-product-demos/apd-ee-25 -v --force-color --mode stdout"
+        additional_dependencies:
+          - jmespath
 
   - repo: https://github.com/psf/black-pre-commit-mirror
     rev: 23.11.0

.pre-commit-gh.yml

@@ -1,30 +0,0 @@
----
-repos:
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
-    hooks:
-      - id: trailing-whitespace
-        exclude: rhel[89]STIG/.*$
-
-      - id: check-yaml
-        exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
-        args: [--unsafe]   # see https://github.com/pre-commit/pre-commit-hooks/issues/273
-
-      - id: check-toml
-      - id: check-json
-      - id: check-symlinks
-
-  - repo: https://github.com/ansible/ansible-lint.git
-    # get latest release tag from https://github.com/ansible/ansible-lint/releases/
-    rev: v6.20.3
-    hooks:
-      - id: ansible-lint
-        additional_dependencies:
-          - jmespath
-
-  - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 23.11.0
-    hooks:
-      - id: black
-        exclude: rhel[89]STIG/.*$
-...

README.md

@@ -1,34 +1,66 @@
-[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
+[![Lab](https://img.shields.io/badge/Try%20Me-EE0000?style=for-the-badge&logo=redhat&logoColor=white)](https://red.ht/aap-product-demos)
 [![Dev Spaces](https://img.shields.io/badge/Customize%20Here-0078d7.svg?style=for-the-badge&logo=visual-studio-code&logoColor=white)](https://workspaces.openshift.com/f?url=https://github.com/ansible/product-demos)
 
-# APD - Ansible Product Demos
+# Official Ansible Product Demos
 
-The Ansible Product Demos (APD) project is a set of Ansible demos that are deployed using [Red Hat Ansible Automation Platform](https://www.redhat.com/en/technologies/management/ansible).  It uses configuraton-as-code to create AAP resources such as projects, templates, and credentials that form the basis for demonstrating automation use cases in several technology domains:
+This is a centralized location for Ansible Product Demos. This project is a collection of use cases implemented with Ansible for use with the Ansible Automation Platform.
 
 | Demo Name | Description |
 |-----------|-------------|
 | [Linux](linux/README.md) | Repository of demos for RHEL and Linux automation |
 | [Windows](windows/README.md) | Repository of demos for Windows Server automation |
 | [Cloud](cloud/README.md) | Demo for infrastructure and cloud provisioning automation |
-| [Network](network/README.md) | Network automation demos |
-| [OpenShift](openshift/README.md) | OpenShift automation demos |
+| [Network](network/README.md) | Ansible Network automation demos |
 | [Satellite](satellite/README.md) | Demos of automation with Red Hat Satellite Server |
 
+## Contributions
+
+If you would like to contribute to this project please refer to [contribution guide](CONTRIBUTING.md) for best practices.
+
 ## Using this project
 
-Use the [APD bootstrap](https://github.com/ansible/product-demos-bootstrap) repo to add APD to an existing Ansible Automation Platform deployment.  The bootstrap repo provides the initial manual prerequisite steps as well as a playbook for adding APD to the existing deployment.
+This project is tested for compatibility with the [demo.redhat.com Product Demos Sandbox](https://demo.redhat.com/catalog?search=product+demos&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod) lab environment. To use with other Ansible Controller installations, review the [prerequisite documentation](https://github.com/RedHatGov/ansible-tower-samples).
 
-For Red Hat associates and partners, there is an Ansible Product Demos catalog item [available on demo.redhat.com](https://red.ht/apd-sandbox) (account required).
+> NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.
+
+1. First you must create a credential for [Automation Hub](https://console.redhat.com/ansible/automation-hub/) to successfully sync collections used by this project.
+
+   1. In the Credentials section of the Controller UI, add a new Credential called `Automation Hub` with the type `Ansible Galaxy/Automation Hub API Token`
+   2. You can obtain a token [here](https://console.redhat.com/ansible/automation-hub/token). This page will also provide the Server URL and Auth Server URL.
+   3. Next, click on Organizations and edit the `Default` organization. Add your `Automation Hub` credential to the `Galaxy Credentials` section. Don't forget to click **Save**!!
+
+      > You can also use an execution environment for disconnected environments. To do this, you must disable collection downloads in the Controller. This can be done in `Settings` > `Job Settings`. This setting prevents the controller from downloading collections listed in the [collections/requirements.yml](collections/requirements.yml) file.
+
+2. If it is not already created for you, add an Execution Environment called `product-demos`
+
+     - Name: product-demos
+     - Image: quay.io/acme_corp/product-demos-ee:latest
+     - Pull: Only pull the image if not present before running
+
+3. If it is not already created for you, create a Project called `Ansible official demo project` with this repo as a source. NOTE: if you are using a fork, be sure that you have the correct URL. Update the project.
+
+4. Finally, Create a Job Template called `Setup` with the following configuration:
+
+     - Name: Setup
+     - Inventory: Demo Inventory
+     - Exec Env: product-demos
+     - Playbook: setup_demo.yml
+     - Credentials:
+        - Type: Red Hat Ansible Automation Platform
+        - Name: Controller Credential
+     - Extra vars:
+
+            demo: <linux or windows or cloud or network>
 
 ## Bring Your Own Demo
 
 Can't find what you're looking for? Customize this repo to make it your own.
 
 1. Create a fork of this repo.
-2. Update the URL of the `Ansible Project Demos` project your Ansible Automation Platform controller.
-3. Make changes to your fork as needed and run the **Product Demos | Single demo setup** job
+2. Update the URL of the `Ansible official demo project` in the Controller.
+3. Make changes as needed and run the **Setup** job
 
-See the [contributing guide](CONTRIBUTING.md) for more details on how to customize the project.
+See the [contribution guide](CONTRIBUTING.md) for more details on how to customize the project.
 
 ---
 

ansible.cfg

@@ -1,19 +1,15 @@
 [defaults]
-collections_path=./collections:/usr/share/ansible/collections
+collections_path=./collections
 roles_path=./roles
 
 [galaxy]
-server_list = certified,validated,galaxy
+server_list = ah,galaxy
 
-[galaxy_server.certified]
+[galaxy_server.ah]
 # Grab a token at https://console.redhat.com/ansible/automation-hub/token
-# Then define it in the ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN environment variable
-url=https://console.redhat.com/api/automation-hub/content/published/
-auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
+# Then define it using ANSIBLE_GALAXY_SERVER_AH_TOKEN=""
 
-[galaxy_server.validated]
-# Define the token in the ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN environment variable
-url=https://console.redhat.com/api/automation-hub/content/validated/
+url=https://console.redhat.com/api/automation-hub/content/published/
 auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
 
 [galaxy_server.galaxy]

cloud/README.md

@@ -19,11 +19,12 @@ This category of demos shows examples of multi-cloud provisioning and management
 
 ### Jobs
 
-- [**Cloud / AWS / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
-- [**Cloud / AWS / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
-- [**Cloud / AWS / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
-- [**Cloud / AWS / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider.  By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
-- [**Cloud / Resize EC2**](resize_ec2.yml) - Re-size an EC2 instance.
+- [**Cloud / Create Infra**](create_infra.yml) - Creates a VPC with required routing and firewall rules for provisioning VMs
+- [**Cloud / Create Keypair**](aws_key.yml) - Creates a keypair for connecting to EC2 instances
+- [**Cloud / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
+- [**Cloud / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
+- [**Cloud / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
+- [**Cloud / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider.  By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
 
 ### Inventory
 
@@ -58,13 +59,11 @@ After running the setup job template, there are a few steps required to make the
 
 ## Suggested Usage
 
-**Deploy Cloud Stack in AWS** - This workflow builds out many helpful and convient resources in AWS. Given an AWS region, key, and some organizational paremetres for tagging it builds a default VPC, keypair, five VMs (three RHEL and two Windows), and even provides a report for cloud stats. It is the typical starting point for using Ansible Product-Demos in AWS.
+**Cloud / Create Keypair** - The Create Keypair job creates an EC2 keypair which can be used when creating EC2 instances to enable SSH access.
 
 **Cloud / Create VM** - The Create VM job builds a VM in the given provider based on the included `demo.cloud` collection. VM [blueprints](blueprints/) define variables for each provider that override the defaults in the collection. When creating VMs it is recommended to follow naming conventions that can be used as host patterns. (eg. VM names: `win1`, `win2`, `win3`.  Host Pattern: `win*` )
 
 **Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances.
 
-**Cloud / AWS / Resize EC2** - Given an EC2 instance, change its size. This takes an AWS region, target host pattern, and a target instance size as parameters. As a final step, this job refreshes the AWS inventory so the re-created instance is accessible from AAP.
-
 ## Known Issues
 Azure does not work without a custom execution environment that includes the Azure dependencies.

cloud/create_vpc.yml

@@ -2,7 +2,6 @@
 - name: Create Cloud Infra
   hosts: localhost
   gather_facts: false
-
   vars:
     aws_vpc_name: aws-test-vpc
     aws_owner_tag: default
@@ -14,27 +13,6 @@
     aws_subnet_name: aws-test-subnet
     aws_rt_name: aws-test-rt
 
-    # map of availability zones to use per region, added since not all
-    # instance types are available in all AZs.  must match the drop-down
-    # list for the create_vm_aws_region variable described in cloud/setup.yml
-    _azs:
-      us-east-1:
-        - us-east-1a
-        - us-east-1b
-        - us-east-1c
-      us-east-2:
-        - us-east-2a
-        - us-east-2b
-        - us-east-2c
-      us-west-1:
-        # us-west-1a not available when last checked 20250218
-        - us-west-1b
-        - us-west-1c
-      us-west-2:
-        - us-west-2a
-        - us-west-2b
-        - us-west-2c
-
   tasks:
     - name: Create VPC
       amazon.aws.ec2_vpc_net:
@@ -117,13 +95,12 @@
           owner: "{{ aws_owner_tag }}"
           purpose: "{{ aws_purpose_tag }}"
 
-    - name: Create a subnet in the VPC
+    - name: Create a subnet on the VPC
       amazon.aws.ec2_vpc_subnet:
         state: present
         vpc_id: "{{ aws_vpc.vpc.id }}"
         cidr: "{{ aws_subnet_cidr }}"
         region: "{{ create_vm_aws_region }}"
-        az: "{{ _azs[create_vm_aws_region] | shuffle | first }}"
         map_public: true
         tags:
           Name: "{{ aws_subnet_name }}"

cloud/resize_ec2.yml

@@ -1,10 +0,0 @@
----
-- name: Resize ec2 instances
-  hosts: "{{ _hosts | default(omit) }}"
-  gather_facts: false
-
-  tasks:
-    - name: Include snapshot role
-      ansible.builtin.include_role:
-        name: "demo.cloud.aws"
-        tasks_from: resize_ec2

cloud/setup.yml

@@ -114,7 +114,7 @@ controller_templates:
     organization: Default
     credentials:
       - AWS
-    project: Ansible Product Demos
+    project: Ansible official demo project
     playbook: cloud/snapshot_ec2.yml
     inventory: Demo Inventory
     notification_templates_started: Telemetry
@@ -145,7 +145,7 @@ controller_templates:
     organization: Default
     credentials:
       - AWS
-    project: Ansible Product Demos
+    project: Ansible official demo project
     playbook: cloud/restore_ec2.yml
     inventory: Demo Inventory
     notification_templates_started: Telemetry
@@ -176,7 +176,7 @@ controller_templates:
     organization: Default
     credentials:
       - AWS
-    project: Ansible Product Demos
+    project: Ansible official demo project
     playbook: cloud/display-ec2-stats.yml
     inventory: Demo Inventory
     notification_templates_started: Telemetry
@@ -186,7 +186,7 @@ controller_templates:
   - name: "LINUX / Patching"
     job_type: check
     inventory: "Demo Inventory"
-    project: "Ansible Product Demos"
+    project: "Ansible official demo project"
     playbook: "linux/patching.yml"
     execution_environment: Default execution environment
     notification_templates_started: Telemetry
@@ -283,7 +283,7 @@ controller_workflows:
       - identifier: Deploy Windows GUI Blueprint
         unified_job_template: Cloud / AWS / Create VM
         extra_data:
-          create_vm_vm_name: aws-dc
+          create_vm_vm_name: aws_dc
           vm_blueprint: windows_full
         success_nodes:
           - Update Inventory
@@ -368,7 +368,7 @@ controller_workflows:
           default: os_linux
     simplified_workflow_nodes:
       - identifier: Project Sync
-        unified_job_template: Ansible Product Demos
+        unified_job_template: Ansible official demo project
         success_nodes:
           - Take Snapshot
       - identifier: Inventory Sync

collections/ansible_collections/demo/cloud/roles/aws/tasks/resize_ec2.yml

@@ -1,45 +0,0 @@
----
-# parameters
-# instance_type: new instance type, e.g. t3.large
-- name: AWS | RESIZE VM
-  delegate_to: localhost
-  vars:
-    controller_dependency_check: false  # noqa: var-naming[no-role-prefix]
-    controller_inventory_sources:
-      - name: AWS Inventory
-        inventory: Demo Inventory
-        organization: Default
-        wait: true
-  block:
-    - name: AWS | RESIZE EC2 | assert required vars
-      ansible.builtin.assert:
-        that:
-          - instance_id is defined
-          - aws_region is defined
-        fail_msg: "instance_id, aws_region is required for resize operations"
-
-    - name: AWS | RESIZE EC2 | shutdown instance
-      amazon.aws.ec2_instance:
-        instance_ids: "{{ instance_id }}"
-        region: "{{ aws_region }}"
-        state: stopped
-        wait: true
-
-    - name: AWS | RESIZE EC2 | update instance type
-      amazon.aws.ec2_instance:
-        region: "{{ aws_region }}"
-        instance_ids: "{{ instance_id }}"
-        instance_type: "{{ instance_type }}"
-        wait: true
-
-    - name: AWS | RESIZE EC2 | start instance
-      amazon.aws.ec2_instance:
-        instance_ids: "{{ instance_id }}"
-        region: "{{ aws_region }}"
-        state: started
-        wait: true
-
-    - name: Synchronize inventory
-      run_once: true
-      ansible.builtin.include_role:
-        name: infra.controller_configuration.inventory_source_update

collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml

@@ -3,7 +3,7 @@ rhel8STIG_stigrule_230225_Manage: True
 rhel8STIG_stigrule_230225_banner_Line: banner /etc/issue
 # R-230226 RHEL-08-010050
 rhel8STIG_stigrule_230226_Manage: True
-rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: "''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.''"
+rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: '''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'''
 # R-230227 RHEL-08-010060
 rhel8STIG_stigrule_230227_Manage: True
 rhel8STIG_stigrule_230227__etc_issue_Dest: /etc/issue
@@ -43,6 +43,9 @@ rhel8STIG_stigrule_230241_policycoreutils_State: installed
 # R-230244 RHEL-08-010200
 rhel8STIG_stigrule_230244_Manage: True
 rhel8STIG_stigrule_230244_ClientAliveCountMax_Line: ClientAliveCountMax 1
+# R-230252 RHEL-08-010291
+rhel8STIG_stigrule_230252_Manage: True
+rhel8STIG_stigrule_230252__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY='
 # R-230255 RHEL-08-010294
 rhel8STIG_stigrule_230255_Manage: True
 rhel8STIG_stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config_Line: 'MinProtocol = TLSv1.2'
@@ -135,9 +138,16 @@ rhel8STIG_stigrule_230346__etc_security_limits_conf_Line: '* hard maxlogins 10'
 # R-230347 RHEL-08-020030
 rhel8STIG_stigrule_230347_Manage: True
 rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true'
+# R-230348 RHEL-08-020040
+rhel8STIG_stigrule_230348_Manage: True
+rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed
+rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock'
 # R-230352 RHEL-08-020060
 rhel8STIG_stigrule_230352_Manage: True
 rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
+# R-230353 RHEL-08-020070
+rhel8STIG_stigrule_230353_Manage: True
+rhel8STIG_stigrule_230353__etc_tmux_conf_Line: 'set -g lock-after-time 900'
 # R-230354 RHEL-08-020080
 rhel8STIG_stigrule_230354_Manage: True
 rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_Line: '/org/gnome/desktop/screensaver/lock-delay'
@@ -325,8 +335,8 @@ rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32_Line: '
 rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64_Line: '-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
 # R-230439 RHEL-08-030361
 rhel8STIG_stigrule_230439_Manage: True
-rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
-rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
+rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k module_chng'
+rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k module_chng'
 # R-230444 RHEL-08-030370
 rhel8STIG_stigrule_230444_Manage: True
 rhel8STIG_stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd_Line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd'
@@ -422,8 +432,7 @@ rhel8STIG_stigrule_230527_Manage: True
 rhel8STIG_stigrule_230527_RekeyLimit_Line: RekeyLimit 1G 1h
 # R-230529 RHEL-08-040170
 rhel8STIG_stigrule_230529_Manage: True
-rhel8STIG_stigrule_230529_ctrl_alt_del_target_disable_Enabled: false
-rhel8STIG_stigrule_230529_ctrl_alt_del_target_mask_Masked: true
+rhel8STIG_stigrule_230529_systemctl_mask_ctrl_alt_del_target_Command: systemctl mask ctrl-alt-del.target
 # R-230531 RHEL-08-040172
 rhel8STIG_stigrule_230531_Manage: True
 rhel8STIG_stigrule_230531__etc_systemd_system_conf_Value: 'none'
@@ -505,9 +514,6 @@ rhel8STIG_stigrule_244523__usr_lib_systemd_system_emergency_service_Value: '-/us
 # R-244525 RHEL-08-010201
 rhel8STIG_stigrule_244525_Manage: True
 rhel8STIG_stigrule_244525_ClientAliveInterval_Line: ClientAliveInterval 600
-# R-244526 RHEL-08-010287
-rhel8STIG_stigrule_244526_Manage: True
-rhel8STIG_stigrule_244526__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY='
 # R-244527 RHEL-08-010472
 rhel8STIG_stigrule_244527_Manage: True
 rhel8STIG_stigrule_244527_rng_tools_State: installed
@@ -520,6 +526,9 @@ rhel8STIG_stigrule_244535__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 5'
 # R-244536 RHEL-08-020032
 rhel8STIG_stigrule_244536_Manage: True
 rhel8STIG_stigrule_244536__etc_dconf_db_local_d_02_login_screen_Value: 'true'
+# R-244537 RHEL-08-020039
+rhel8STIG_stigrule_244537_Manage: True
+rhel8STIG_stigrule_244537_tmux_State: installed
 # R-244538 RHEL-08-020081
 rhel8STIG_stigrule_244538_Manage: True
 rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line: '/org/gnome/desktop/session/idle-delay'

collections/ansible_collections/demo/compliance/roles/rhel8STIG/handlers/main.yml

@@ -6,25 +6,6 @@
   service:
     name: sshd
     state: restarted
-- name: rsyslog_restart
-  service:
-    name: rsyslog
-    state: restarted
-- name: sysctl_load_settings
-  command: sysctl --system
-- name: daemon_reload
-  systemd:
-    daemon_reload: true
-- name: networkmanager_reload
-  service:
-    name: NetworkManager
-    state: reloaded
-- name: logind_restart
-  service:
-    name: systemd-logind
-    state: restarted
-- name: with_faillock_enable
-  command: authselect enable-feature with-faillock
 - name: do_reboot
   reboot:
     pre_reboot_delay: 60

collections/ansible_collections/demo/compliance/roles/rhel8STIG/tasks/main.yml

@@ -88,6 +88,16 @@
   when:
     - rhel8STIG_stigrule_230244_Manage
     - "'openssh-server' in packages"
+# R-230252 RHEL-08-010291
+- name: stigrule_230252__etc_sysconfig_sshd
+  lineinfile:
+    path: /etc/sysconfig/sshd
+    regexp: '^# CRYPTO_POLICY='
+    line: "{{ rhel8STIG_stigrule_230252__etc_sysconfig_sshd_Line }}"
+    create: yes
+  notify: do_reboot
+  when:
+    - rhel8STIG_stigrule_230252_Manage
 # R-230255 RHEL-08-010294
 - name: stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config
   lineinfile:
@@ -101,7 +111,6 @@
 - name: stigrule_230256__etc_crypto_policies_back_ends_gnutls_config
   lineinfile:
     path: /etc/crypto-policies/back-ends/gnutls.config
-    regexp: '^\+VERS'
     line: "{{ rhel8STIG_stigrule_230256__etc_crypto_policies_back_ends_gnutls_config_Line }}"
     create: yes
   when:
@@ -413,6 +422,20 @@
   when:
     - rhel8STIG_stigrule_230347_Manage
     - "'dconf' in packages"
+# R-230348 RHEL-08-020040
+- name: stigrule_230348_ensure_tmux_is_installed
+  yum:
+    name: tmux
+    state: "{{ rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State }}"
+  when: rhel8STIG_stigrule_230348_Manage
+# R-230348 RHEL-08-020040
+- name: stigrule_230348__etc_tmux_conf
+  lineinfile:
+    path: /etc/tmux.conf
+    line: "{{ rhel8STIG_stigrule_230348__etc_tmux_conf_Line }}"
+    create: yes
+  when:
+    - rhel8STIG_stigrule_230348_Manage
 # R-230352 RHEL-08-020060
 - name: stigrule_230352__etc_dconf_db_local_d_00_screensaver
   ini_file:
@@ -425,13 +448,20 @@
   when:
     - rhel8STIG_stigrule_230352_Manage
     - "'dconf' in packages"
+# R-230353 RHEL-08-020070
+- name: stigrule_230353__etc_tmux_conf
+  lineinfile:
+    path: /etc/tmux.conf
+    line: "{{ rhel8STIG_stigrule_230353__etc_tmux_conf_Line }}"
+    create: yes
+  when:
+    - rhel8STIG_stigrule_230353_Manage
 # R-230354 RHEL-08-020080
 - name: stigrule_230354__etc_dconf_db_local_d_locks_session
   lineinfile:
     path: /etc/dconf/db/local.d/locks/session
     line: "{{ rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_Line }}"
     create: yes
-  notify: dconf_update
   when:
     - rhel8STIG_stigrule_230354_Manage
 # R-230357 RHEL-08-020110
@@ -580,7 +610,7 @@
   when:
     - rhel8STIG_stigrule_230383_Manage
 # R-230386 RHEL-08-030000
-- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b32
+- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv$'
@@ -588,7 +618,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230386_Manage
 # R-230386 RHEL-08-030000
-- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b64
+- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv$'
@@ -596,7 +626,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230386_Manage
 # R-230386 RHEL-08-030000
-- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b32
+- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv$'
@@ -604,7 +634,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230386_Manage
 # R-230386 RHEL-08-030000
-- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b64
+- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv$'
@@ -689,7 +719,7 @@
   when:
     - rhel8STIG_stigrule_230395_Manage
 # R-230402 RHEL-08-030121
-- name: stigrule_230402__etc_audit_rules_d_audit_rules_e2
+- name : stigrule_230402__etc_audit_rules_d_audit_rules_e2
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-e 2$'
@@ -697,7 +727,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230402_Manage
 # R-230403 RHEL-08-030122
-- name: stigrule_230403__etc_audit_rules_d_audit_rules_loginuid_immutable
+- name : stigrule_230403__etc_audit_rules_d_audit_rules_loginuid_immutable
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^--loginuid-immutable$'
@@ -705,7 +735,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230403_Manage
 # R-230404 RHEL-08-030130
-- name: stigrule_230404__etc_audit_rules_d_audit_rules__etc_shadow
+- name : stigrule_230404__etc_audit_rules_d_audit_rules__etc_shadow
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/shadow -p wa -k identity$'
@@ -713,7 +743,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230404_Manage
 # R-230405 RHEL-08-030140
-- name: stigrule_230405__etc_audit_rules_d_audit_rules__etc_security_opasswd
+- name : stigrule_230405__etc_audit_rules_d_audit_rules__etc_security_opasswd
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/security/opasswd -p wa -k identity$'
@@ -721,7 +751,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230405_Manage
 # R-230406 RHEL-08-030150
-- name: stigrule_230406__etc_audit_rules_d_audit_rules__etc_passwd
+- name : stigrule_230406__etc_audit_rules_d_audit_rules__etc_passwd
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/passwd -p wa -k identity$'
@@ -729,7 +759,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230406_Manage
 # R-230407 RHEL-08-030160
-- name: stigrule_230407__etc_audit_rules_d_audit_rules__etc_gshadow
+- name : stigrule_230407__etc_audit_rules_d_audit_rules__etc_gshadow
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/gshadow -p wa -k identity$'
@@ -737,7 +767,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230407_Manage
 # R-230408 RHEL-08-030170
-- name: stigrule_230408__etc_audit_rules_d_audit_rules__etc_group
+- name : stigrule_230408__etc_audit_rules_d_audit_rules__etc_group
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/group -p wa -k identity$'
@@ -745,7 +775,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230408_Manage
 # R-230409 RHEL-08-030171
-- name: stigrule_230409__etc_audit_rules_d_audit_rules__etc_sudoers
+- name : stigrule_230409__etc_audit_rules_d_audit_rules__etc_sudoers
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/sudoers -p wa -k identity$'
@@ -753,7 +783,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230409_Manage
 # R-230410 RHEL-08-030172
-- name: stigrule_230410__etc_audit_rules_d_audit_rules__etc_sudoers_d_
+- name : stigrule_230410__etc_audit_rules_d_audit_rules__etc_sudoers_d_
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/sudoers.d/ -p wa -k identity$'
@@ -767,7 +797,7 @@
     state: "{{ rhel8STIG_stigrule_230411_audit_State }}"
   when: rhel8STIG_stigrule_230411_Manage
 # R-230412 RHEL-08-030190
-- name: stigrule_230412__etc_audit_rules_d_audit_rules__usr_bin_su
+- name : stigrule_230412__etc_audit_rules_d_audit_rules__usr_bin_su
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change$'
@@ -775,7 +805,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230412_Manage
 # R-230413 RHEL-08-030200
-- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset
+- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -783,7 +813,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230413_Manage
 # R-230413 RHEL-08-030200
-- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset
+- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -791,7 +821,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230413_Manage
 # R-230413 RHEL-08-030200
-- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32
+- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod$'
@@ -799,7 +829,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230413_Manage
 # R-230413 RHEL-08-030200
-- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64
+- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod$'
@@ -807,7 +837,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230413_Manage
 # R-230418 RHEL-08-030250
-- name: stigrule_230418__etc_audit_rules_d_audit_rules__usr_bin_chage
+- name : stigrule_230418__etc_audit_rules_d_audit_rules__usr_bin_chage
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage$'
@@ -815,7 +845,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230418_Manage
 # R-230419 RHEL-08-030260
-- name: stigrule_230419__etc_audit_rules_d_audit_rules__usr_bin_chcon
+- name : stigrule_230419__etc_audit_rules_d_audit_rules__usr_bin_chcon
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -823,7 +853,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230419_Manage
 # R-230421 RHEL-08-030280
-- name: stigrule_230421__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent
+- name : stigrule_230421__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh$'
@@ -831,7 +861,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230421_Manage
 # R-230422 RHEL-08-030290
-- name: stigrule_230422__etc_audit_rules_d_audit_rules__usr_bin_passwd
+- name : stigrule_230422__etc_audit_rules_d_audit_rules__usr_bin_passwd
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd$'
@@ -839,7 +869,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230422_Manage
 # R-230423 RHEL-08-030300
-- name: stigrule_230423__etc_audit_rules_d_audit_rules__usr_bin_mount
+- name : stigrule_230423__etc_audit_rules_d_audit_rules__usr_bin_mount
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -847,7 +877,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230423_Manage
 # R-230424 RHEL-08-030301
-- name: stigrule_230424__etc_audit_rules_d_audit_rules__usr_bin_umount
+- name : stigrule_230424__etc_audit_rules_d_audit_rules__usr_bin_umount
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -855,7 +885,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230424_Manage
 # R-230425 RHEL-08-030302
-- name: stigrule_230425__etc_audit_rules_d_audit_rules_mount_b32
+- name : stigrule_230425__etc_audit_rules_d_audit_rules_mount_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -863,7 +893,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230425_Manage
 # R-230425 RHEL-08-030302
-- name: stigrule_230425__etc_audit_rules_d_audit_rules_mount_b64
+- name : stigrule_230425__etc_audit_rules_d_audit_rules_mount_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -871,7 +901,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230425_Manage
 # R-230426 RHEL-08-030310
-- name: stigrule_230426__etc_audit_rules_d_audit_rules__usr_sbin_unix_update
+- name : stigrule_230426__etc_audit_rules_d_audit_rules__usr_sbin_unix_update
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -879,7 +909,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230426_Manage
 # R-230427 RHEL-08-030311
-- name: stigrule_230427__etc_audit_rules_d_audit_rules__usr_sbin_postdrop
+- name : stigrule_230427__etc_audit_rules_d_audit_rules__usr_sbin_postdrop
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -887,7 +917,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230427_Manage
 # R-230428 RHEL-08-030312
-- name: stigrule_230428__etc_audit_rules_d_audit_rules__usr_sbin_postqueue
+- name : stigrule_230428__etc_audit_rules_d_audit_rules__usr_sbin_postqueue
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -895,7 +925,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230428_Manage
 # R-230429 RHEL-08-030313
-- name: stigrule_230429__etc_audit_rules_d_audit_rules__usr_sbin_semanage
+- name : stigrule_230429__etc_audit_rules_d_audit_rules__usr_sbin_semanage
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -903,7 +933,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230429_Manage
 # R-230430 RHEL-08-030314
-- name: stigrule_230430__etc_audit_rules_d_audit_rules__usr_sbin_setfiles
+- name : stigrule_230430__etc_audit_rules_d_audit_rules__usr_sbin_setfiles
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -911,7 +941,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230430_Manage
 # R-230431 RHEL-08-030315
-- name: stigrule_230431__etc_audit_rules_d_audit_rules__usr_sbin_userhelper
+- name : stigrule_230431__etc_audit_rules_d_audit_rules__usr_sbin_userhelper
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -919,7 +949,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230431_Manage
 # R-230432 RHEL-08-030316
-- name: stigrule_230432__etc_audit_rules_d_audit_rules__usr_sbin_setsebool
+- name : stigrule_230432__etc_audit_rules_d_audit_rules__usr_sbin_setsebool
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -927,7 +957,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230432_Manage
 # R-230433 RHEL-08-030317
-- name: stigrule_230433__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd
+- name : stigrule_230433__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -935,7 +965,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230433_Manage
 # R-230434 RHEL-08-030320
-- name: stigrule_230434__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign
+- name : stigrule_230434__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh$'
@@ -943,7 +973,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230434_Manage
 # R-230435 RHEL-08-030330
-- name: stigrule_230435__etc_audit_rules_d_audit_rules__usr_bin_setfacl
+- name : stigrule_230435__etc_audit_rules_d_audit_rules__usr_bin_setfacl
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -951,7 +981,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230435_Manage
 # R-230436 RHEL-08-030340
-- name: stigrule_230436__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check
+- name : stigrule_230436__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check$'
@@ -959,7 +989,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230436_Manage
 # R-230437 RHEL-08-030350
-- name: stigrule_230437__etc_audit_rules_d_audit_rules__usr_bin_newgrp
+- name : stigrule_230437__etc_audit_rules_d_audit_rules__usr_bin_newgrp
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -967,7 +997,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230437_Manage
 # R-230438 RHEL-08-030360
-- name: stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32
+- name : stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -975,7 +1005,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230438_Manage
 # R-230438 RHEL-08-030360
-- name: stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64
+- name : stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -983,23 +1013,23 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230438_Manage
 # R-230439 RHEL-08-030361
-- name: stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32
+- name : stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
-    regexp: '^-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
+    regexp: '^-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k module_chng$'
     line: "{{ rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line }}"
   notify: auditd_restart
   when: rhel8STIG_stigrule_230439_Manage
 # R-230439 RHEL-08-030361
-- name: stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64
+- name : stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
-    regexp: '^-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
+    regexp: '^-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k module_chng$'
     line: "{{ rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line }}"
   notify: auditd_restart
   when: rhel8STIG_stigrule_230439_Manage
 # R-230444 RHEL-08-030370
-- name: stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd
+- name : stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd$'
@@ -1007,7 +1037,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230444_Manage
 # R-230446 RHEL-08-030390
-- name: stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b32
+- name : stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -1015,7 +1045,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230446_Manage
 # R-230446 RHEL-08-030390
-- name: stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b64
+- name : stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -1023,7 +1053,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230446_Manage
 # R-230447 RHEL-08-030400
-- name: stigrule_230447__etc_audit_rules_d_audit_rules__usr_bin_crontab
+- name : stigrule_230447__etc_audit_rules_d_audit_rules__usr_bin_crontab
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab$'
@@ -1031,7 +1061,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230447_Manage
 # R-230448 RHEL-08-030410
-- name: stigrule_230448__etc_audit_rules_d_audit_rules__usr_bin_chsh
+- name : stigrule_230448__etc_audit_rules_d_audit_rules__usr_bin_chsh
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -1039,7 +1069,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230448_Manage
 # R-230449 RHEL-08-030420
-- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b32
+- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1047,7 +1077,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230449_Manage
 # R-230449 RHEL-08-030420
-- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b64
+- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1055,7 +1085,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230449_Manage
 # R-230449 RHEL-08-030420
-- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b32
+- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1063,7 +1093,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230449_Manage
 # R-230449 RHEL-08-030420
-- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b64
+- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1071,7 +1101,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230449_Manage
 # R-230455 RHEL-08-030480
-- name: stigrule_230455__etc_audit_rules_d_audit_rules_chown_b32
+- name : stigrule_230455__etc_audit_rules_d_audit_rules_chown_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1079,7 +1109,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230455_Manage
 # R-230455 RHEL-08-030480
-- name: stigrule_230455__etc_audit_rules_d_audit_rules_chown_b64
+- name : stigrule_230455__etc_audit_rules_d_audit_rules_chown_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1087,7 +1117,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230455_Manage
 # R-230456 RHEL-08-030490
-- name: stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b32
+- name : stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1095,7 +1125,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230456_Manage
 # R-230456 RHEL-08-030490
-- name: stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b64
+- name : stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1103,7 +1133,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230456_Manage
 # R-230462 RHEL-08-030550
-- name: stigrule_230462__etc_audit_rules_d_audit_rules__usr_bin_sudo
+- name : stigrule_230462__etc_audit_rules_d_audit_rules__usr_bin_sudo
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -1111,7 +1141,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230462_Manage
 # R-230463 RHEL-08-030560
-- name: stigrule_230463__etc_audit_rules_d_audit_rules__usr_sbin_usermod
+- name : stigrule_230463__etc_audit_rules_d_audit_rules__usr_sbin_usermod
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod$'
@@ -1119,7 +1149,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230463_Manage
 # R-230464 RHEL-08-030570
-- name: stigrule_230464__etc_audit_rules_d_audit_rules__usr_bin_chacl
+- name : stigrule_230464__etc_audit_rules_d_audit_rules__usr_bin_chacl
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1127,7 +1157,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230464_Manage
 # R-230465 RHEL-08-030580
-- name: stigrule_230465__etc_audit_rules_d_audit_rules__usr_bin_kmod
+- name : stigrule_230465__etc_audit_rules_d_audit_rules__usr_bin_kmod
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules$'
@@ -1135,7 +1165,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230465_Manage
 # R-230466 RHEL-08-030590
-- name: stigrule_230466__etc_audit_rules_d_audit_rules__var_log_faillock
+- name : stigrule_230466__etc_audit_rules_d_audit_rules__var_log_faillock
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /var/log/faillock -p wa -k logins$'
@@ -1143,7 +1173,7 @@
   notify: auditd_restart
   when: rhel8STIG_stigrule_230466_Manage
 # R-230467 RHEL-08-030600
-- name: stigrule_230467__etc_audit_rules_d_audit_rules__var_log_lastlog
+- name : stigrule_230467__etc_audit_rules_d_audit_rules__var_log_lastlog
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /var/log/lastlog -p wa -k logins$'
@@ -1307,33 +1337,13 @@
     - rhel8STIG_stigrule_230527_Manage
     - "'openssh-server' in packages"
 # R-230529 RHEL-08-040170
-- name: check if ctrl-alt-del.target is installed
-  shell: ! systemctl list-unit-files | grep "^ctrl-alt-del.target[ \t]\+"
-  changed_when: False
-  check_mode: no
-  register: result
-  failed_when: result.rc > 1
-- name: stigrule_230529_ctrl_alt_del_target_disable
-  systemd_service:
+- name: stigrule_230529_systemctl_mask_ctrl_alt_del_target
+  systemd:
     name: ctrl-alt-del.target
-    enabled: "{{ rhel8STIG_stigrule_230529_ctrl_alt_del_target_disable_Enabled }}"
+    enabled: no
+    masked: yes
   when:
     - rhel8STIG_stigrule_230529_Manage
-    - result.rc == 0
-# R-230529 RHEL-08-040170
-- name: check if ctrl-alt-del.target is installed
-  shell: ! systemctl list-unit-files | grep "^ctrl-alt-del.target[ \t]\+"
-  changed_when: False
-  check_mode: no
-  register: result
-  failed_when: result.rc > 1
-- name: stigrule_230529_ctrl_alt_del_target_mask
-  systemd_service:
-    name: ctrl-alt-del.target
-    masked: "{{ rhel8STIG_stigrule_230529_ctrl_alt_del_target_mask_Masked }}"
-  when:
-    - rhel8STIG_stigrule_230529_Manage
-    - result.rc == 0
 # R-230531 RHEL-08-040172
 - name: stigrule_230531__etc_systemd_system_conf
   ini_file:
@@ -1613,16 +1623,6 @@
   when:
     - rhel8STIG_stigrule_244525_Manage
     - "'openssh-server' in packages"
-# R-244526 RHEL-08-010287
-- name: stigrule_244526__etc_sysconfig_sshd
-  lineinfile:
-    path: /etc/sysconfig/sshd
-    regexp: '^# CRYPTO_POLICY='
-    line: "{{ rhel8STIG_stigrule_244526__etc_sysconfig_sshd_Line }}"
-    create: yes
-  notify: do_reboot
-  when:
-    - rhel8STIG_stigrule_244526_Manage
 # R-244527 RHEL-08-010472
 - name: stigrule_244527_rng_tools
   yum:
@@ -1663,13 +1663,18 @@
   when:
     - rhel8STIG_stigrule_244536_Manage
     - "'dconf' in packages"
+# R-244537 RHEL-08-020039
+- name: stigrule_244537_tmux
+  yum:
+    name: tmux
+    state: "{{ rhel8STIG_stigrule_244537_tmux_State }}"
+  when: rhel8STIG_stigrule_244537_Manage
 # R-244538 RHEL-08-020081
 - name: stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay
   lineinfile:
     path: /etc/dconf/db/local.d/locks/session
     line: "{{ rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line }}"
     create: yes
-  notify: dconf_update
   when:
     - rhel8STIG_stigrule_244538_Manage
 # R-244539 RHEL-08-020082
@@ -1678,7 +1683,6 @@
     path: /etc/dconf/db/local.d/locks/session
     line: "{{ rhel8STIG_stigrule_244539__etc_dconf_db_local_d_locks_session_lock_enabled_Line }}"
     create: yes
-  notify: dconf_update
   when:
     - rhel8STIG_stigrule_244539_Manage
 # R-244542 RHEL-08-030181

collections/ansible_collections/demo/compliance/roles/rhel9STIG/defaults/main.yml

@@ -159,7 +159,7 @@ rhel9STIG_stigrule_257834_Manage: True
 rhel9STIG_stigrule_257834_tuned_State: removed
 # R-257835 RHEL-09-215060
 rhel9STIG_stigrule_257835_Manage: True
-rhel9STIG_stigrule_257835_tftp_server_State: removed
+rhel9STIG_stigrule_257835_tftp_State: removed
 # R-257836 RHEL-09-215065
 rhel9STIG_stigrule_257836_Manage: True
 rhel9STIG_stigrule_257836_quagga_State: removed
@@ -302,6 +302,10 @@ rhel9STIG_stigrule_257916__var_log_messages_owner_Owner: root
 rhel9STIG_stigrule_257917_Manage: True
 rhel9STIG_stigrule_257917__var_log_messages_group_owner_Dest: /var/log/messages
 rhel9STIG_stigrule_257917__var_log_messages_group_owner_Group: root
+# R-257933 RHEL-09-232265
+rhel9STIG_stigrule_257933_Manage: True
+rhel9STIG_stigrule_257933__etc_crontab_mode_Dest: /etc/crontab
+rhel9STIG_stigrule_257933__etc_crontab_mode_Mode: '0600'
 # R-257934 RHEL-09-232270
 rhel9STIG_stigrule_257934_Manage: True
 rhel9STIG_stigrule_257934__etc_shadow_mode_Dest: /etc/shadow
@@ -451,6 +455,9 @@ rhel9STIG_stigrule_257985_PermitRootLogin_Line: PermitRootLogin no
 # R-257986 RHEL-09-255050
 rhel9STIG_stigrule_257986_Manage: True
 rhel9STIG_stigrule_257986_UsePAM_Line: UsePAM yes
+# R-257989 RHEL-09-255065
+rhel9STIG_stigrule_257989_Manage: True
+rhel9STIG_stigrule_257989__etc_crypto_policies_back_ends_openssh_config_Line: 'Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr'
 # R-257992 RHEL-09-255080
 rhel9STIG_stigrule_257992_Manage: True
 rhel9STIG_stigrule_257992_HostbasedAuthentication_Line: HostbasedAuthentication no
@@ -502,6 +509,9 @@ rhel9STIG_stigrule_258008_StrictModes_Line: StrictModes yes
 # R-258009 RHEL-09-255165
 rhel9STIG_stigrule_258009_Manage: True
 rhel9STIG_stigrule_258009_PrintLastLog_Line: PrintLastLog yes
+# R-258010 RHEL-09-255170
+rhel9STIG_stigrule_258010_Manage: True
+rhel9STIG_stigrule_258010_UsePrivilegeSeparation_Line: UsePrivilegeSeparation sandbox
 # R-258011 RHEL-09-255175
 rhel9STIG_stigrule_258011_Manage: True
 rhel9STIG_stigrule_258011_X11UseLocalhost_Line: X11UseLocalhost yes
@@ -550,9 +560,10 @@ rhel9STIG_stigrule_258026__etc_dconf_db_local_d_locks_session_lock_delay_Line: '
 # R-258027 RHEL-09-271085
 rhel9STIG_stigrule_258027_Manage: True
 rhel9STIG_stigrule_258027__etc_dconf_db_local_d_00_security_settings_Value: "''"
-# R-258027 RHEL-09-271085
-rhel9STIG_stigrule_258027_Manage: True
 rhel9STIG_stigrule_258027__etc_dconf_db_local_d_locks_00_security_settings_lock_picture_uri_Line: '/org/gnome/desktop/screensaver/picture-uri'
+# R-258029 RHEL-09-271095
+rhel9STIG_stigrule_258029_Manage: True
+rhel9STIG_stigrule_258029__etc_dconf_db_local_d_00_security_settings_Value: "'true'"
 # R-258030 RHEL-09-271100
 rhel9STIG_stigrule_258030_Manage: True
 rhel9STIG_stigrule_258030__etc_dconf_db_local_d_locks_session_disable_restart_buttons_Line: '/org/gnome/login-screen/disable-restart-buttons'
@@ -572,8 +583,6 @@ rhel9STIG_stigrule_258034__etc_modprobe_d_usb_storage_conf_blacklist_usb_storage
 # R-258035 RHEL-09-291015
 rhel9STIG_stigrule_258035_Manage: True
 rhel9STIG_stigrule_258035_usbguard_State: installed
-rhel9STIG_stigrule_258035_usbguard_enable_Enabled: yes
-rhel9STIG_stigrule_258035_usbguard_start_State: started
 # R-258036 RHEL-09-291020
 rhel9STIG_stigrule_258036_Manage: True
 rhel9STIG_stigrule_258036_usbguard_enable_Enabled: yes
@@ -612,6 +621,12 @@ rhel9STIG_stigrule_258057__etc_security_faillock_conf_Line: 'unlock_time = 0'
 # R-258060 RHEL-09-411105
 rhel9STIG_stigrule_258060_Manage: True
 rhel9STIG_stigrule_258060__etc_security_faillock_conf_Line: 'dir = /var/log/faillock'
+# R-258063 RHEL-09-412010
+rhel9STIG_stigrule_258063_Manage: True
+rhel9STIG_stigrule_258063_tmux_State: installed
+# R-258066 RHEL-09-412025
+rhel9STIG_stigrule_258066_Manage: True
+rhel9STIG_stigrule_258066__etc_tmux_conf_Line: 'set -g lock-after-time 900'
 # R-258069 RHEL-09-412040
 rhel9STIG_stigrule_258069_Manage: True
 rhel9STIG_stigrule_258069__etc_security_limits_conf_Line: '* hard maxlogins 10'
@@ -673,6 +688,9 @@ rhel9STIG_stigrule_258104__etc_login_defs_Line: 'PASS_MIN_DAYS 1'
 # R-258107 RHEL-09-611090
 rhel9STIG_stigrule_258107_Manage: True
 rhel9STIG_stigrule_258107__etc_security_pwquality_conf_Line: 'minlen = 15'
+# R-258108 RHEL-09-611095
+rhel9STIG_stigrule_258108_Manage: True
+rhel9STIG_stigrule_258108__etc_login_defs_Line: 'PASS_MIN_LEN 15'
 # R-258109 RHEL-09-611100
 rhel9STIG_stigrule_258109_Manage: True
 rhel9STIG_stigrule_258109__etc_security_pwquality_conf_Line: 'ocredit = -1'
@@ -700,6 +718,9 @@ rhel9STIG_stigrule_258116__etc_libuser_conf_Value: 'sha512'
 # R-258117 RHEL-09-611140
 rhel9STIG_stigrule_258117_Manage: True
 rhel9STIG_stigrule_258117__etc_login_defs_Line: 'ENCRYPT_METHOD SHA512'
+# R-258119 RHEL-09-611150
+rhel9STIG_stigrule_258119_Manage: True
+rhel9STIG_stigrule_258119__etc_login_defs_Line: 'SHA_CRYPT_MIN_ROUNDS 5000'
 # R-258121 RHEL-09-611160
 rhel9STIG_stigrule_258121_Manage: True
 rhel9STIG_stigrule_258121__etc_opensc_conf_Line: 'card_drivers = cac;'
@@ -738,6 +759,9 @@ rhel9STIG_stigrule_258142_rsyslog_start_State: started
 # R-258144 RHEL-09-652030
 rhel9STIG_stigrule_258144_Manage: True
 rhel9STIG_stigrule_258144__etc_rsyslog_conf_Line: 'auth.*;authpriv.*;daemon.*                              /var/log/secure'
+# R-258145 RHEL-09-652035
+rhel9STIG_stigrule_258145_Manage: True
+rhel9STIG_stigrule_258145__etc_audit_plugins_d_syslog_conf_Line: 'active = yes'
 # R-258146 RHEL-09-652040
 rhel9STIG_stigrule_258146_Manage: True
 rhel9STIG_stigrule_258146__etc_rsyslog_conf_Line: '$ActionSendStreamDriverAuthMode x509/name'
@@ -976,9 +1000,12 @@ rhel9STIG_stigrule_258228__etc_audit_rules_d_audit_rules_loginuid_immutable_Line
 # R-258229 RHEL-09-654275
 rhel9STIG_stigrule_258229_Manage: True
 rhel9STIG_stigrule_258229__etc_audit_rules_d_audit_rules_e2_Line: '-e 2'
-# R-258234 RHEL-09-215100
+# R-258234 RHEL-09-672010
 rhel9STIG_stigrule_258234_Manage: True
 rhel9STIG_stigrule_258234_crypto_policies_State: installed
-# R-272488 RHEL-09-215101
-rhel9STIG_stigrule_272488_Manage: True
-rhel9STIG_stigrule_272488_postfix_State: installed
+# R-258239 RHEL-09-672035
+rhel9STIG_stigrule_258239_Manage: True
+rhel9STIG_stigrule_258239__etc_pki_tls_openssl_cnf_Line: '.include = /etc/crypto-policies/back-ends/opensslcnf.config'
+# R-258240 RHEL-09-672040
+rhel9STIG_stigrule_258240_Manage: True
+rhel9STIG_stigrule_258240__etc_crypto_policies_back_ends_opensslcnf_config_Line: 'TLS.MinProtocol = TLSv1.2'

collections/ansible_collections/demo/compliance/roles/rhel9STIG/tasks/main.yml

@@ -56,7 +56,7 @@
 - name: stigrule_257785_ctrl_alt_del_target_disable
   systemd_service:
     name: ctrl-alt-del.target
-    enabled: "{{ rhel9STIG_stigrule_257785_ctrl_alt_del_target_disable_Enabled }}"
+    enabled : "{{ rhel9STIG_stigrule_257785_ctrl_alt_del_target_disable_Enabled }}"
   when:
     - rhel9STIG_stigrule_257785_Manage
     - result.rc == 0
@@ -84,7 +84,7 @@
 - name: stigrule_257786_debug_shell_service_disable
   systemd_service:
     name: debug-shell.service
-    enabled: "{{ rhel9STIG_stigrule_257786_debug_shell_service_disable_Enabled }}"
+    enabled : "{{ rhel9STIG_stigrule_257786_debug_shell_service_disable_Enabled }}"
   when:
     - rhel9STIG_stigrule_257786_Manage
     - result.rc == 0
@@ -333,7 +333,7 @@
 - name: stigrule_257815_systemd_coredump_socket_disable
   systemd_service:
     name: systemd-coredump.socket
-    enabled: "{{ rhel9STIG_stigrule_257815_systemd_coredump_socket_disable_Enabled }}"
+    enabled : "{{ rhel9STIG_stigrule_257815_systemd_coredump_socket_disable_Enabled }}"
   when:
     - rhel9STIG_stigrule_257815_Manage
     - result.rc == 0
@@ -371,7 +371,7 @@
 - name: stigrule_257818_kdump_disable
   systemd_service:
     name: kdump.service
-    enabled: "{{ rhel9STIG_stigrule_257818_kdump_disable_Enabled }}"
+    enabled : "{{ rhel9STIG_stigrule_257818_kdump_disable_Enabled }}"
   when:
     - rhel9STIG_stigrule_257818_Manage
     - result.rc == 0
@@ -474,10 +474,10 @@
     state: "{{ rhel9STIG_stigrule_257834_tuned_State }}"
   when: rhel9STIG_stigrule_257834_Manage
 # R-257835 RHEL-09-215060
-- name: stigrule_257835_tftp_server
+- name: stigrule_257835_tftp
   yum:
-    name: tftp-server
-    state: "{{ rhel9STIG_stigrule_257835_tftp_server_State }}"
+    name: tftp
+    state: "{{ rhel9STIG_stigrule_257835_tftp_State }}"
   when: rhel9STIG_stigrule_257835_Manage
 # R-257836 RHEL-09-215065
 - name: stigrule_257836_quagga
@@ -525,7 +525,7 @@
 - name: stigrule_257849_autofs_service_disable
   systemd_service:
     name: autofs.service
-    enabled: "{{ rhel9STIG_stigrule_257849_autofs_service_disable_Enabled }}"
+    enabled : "{{ rhel9STIG_stigrule_257849_autofs_service_disable_Enabled }}"
   when:
     - rhel9STIG_stigrule_257849_Manage
     - result.rc == 0
@@ -764,6 +764,13 @@
     group: "{{ rhel9STIG_stigrule_257917__var_log_messages_group_owner_Group }}"
   when:
     - rhel9STIG_stigrule_257917_Manage
+# R-257933 RHEL-09-232265
+- name: stigrule_257933__etc_crontab_mode
+  file:
+    dest: "{{ rhel9STIG_stigrule_257933__etc_crontab_mode_Dest }}"
+    mode: "{{ rhel9STIG_stigrule_257933__etc_crontab_mode_Mode }}"
+  when:
+    - rhel9STIG_stigrule_257933_Manage
 # R-257934 RHEL-09-232270
 - name: stigrule_257934__etc_shadow_mode
   file:
@@ -1230,6 +1237,16 @@
   when:
     - rhel9STIG_stigrule_257986_Manage
     - "'openssh-server' in packages"
+# R-257989 RHEL-09-255065
+- name: stigrule_257989__etc_crypto_policies_back_ends_openssh_config
+  lineinfile:
+    path: /etc/crypto-policies/back-ends/openssh.config
+    regexp: '^\s*Ciphers\s+\S+\s*$'
+    line: "{{ rhel9STIG_stigrule_257989__etc_crypto_policies_back_ends_openssh_config_Line }}"
+    create: yes
+  notify: do_reboot
+  when:
+    - rhel9STIG_stigrule_257989_Manage
 # R-257992 RHEL-09-255080
 - name: stigrule_257992_HostbasedAuthentication
   lineinfile:
@@ -1381,6 +1398,16 @@
   when:
     - rhel9STIG_stigrule_258009_Manage
     - "'openssh-server' in packages"
+# R-258010 RHEL-09-255170
+- name: stigrule_258010_UsePrivilegeSeparation
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '(?i)^\s*UsePrivilegeSeparation\s+'
+    line: "{{ rhel9STIG_stigrule_258010_UsePrivilegeSeparation_Line }}"
+  notify: ssh_restart
+  when:
+    - rhel9STIG_stigrule_258010_Manage
+    - "'openssh-server' in packages"
 # R-258011 RHEL-09-255175
 - name: stigrule_258011_X11UseLocalhost
   lineinfile:
@@ -1567,6 +1594,18 @@
   when:
     - rhel9STIG_stigrule_258027_Manage
     - "'dconf' in packages"
+# R-258029 RHEL-09-271095
+- name: stigrule_258029__etc_dconf_db_local_d_00_security_settings
+  ini_file:
+    path: /etc/dconf/db/local.d/00-security-settings
+    section: org/gnome/login-screen
+    option: disable-restart-buttons
+    value: "{{ rhel9STIG_stigrule_258029__etc_dconf_db_local_d_00_security_settings_Value }}"
+    no_extra_spaces: yes
+  notify: dconf_update
+  when:
+    - rhel9STIG_stigrule_258029_Manage
+    - "'dconf' in packages"
 # R-258030 RHEL-09-271100
 - name: stigrule_258030__etc_dconf_db_local_d_locks_session_disable_restart_buttons
   lineinfile:
@@ -1635,34 +1674,6 @@
     name: usbguard
     state: "{{ rhel9STIG_stigrule_258035_usbguard_State }}"
   when: rhel9STIG_stigrule_258035_Manage
-# R-258035 RHEL-09-291015
-- name: check if usbguard.service is installed
-  shell: ! systemctl list-unit-files | grep "^usbguard.service[ \t]\+"
-  changed_when: False
-  check_mode: no
-  register: result
-  failed_when: result.rc > 1
-- name: stigrule_258035_usbguard_enable
-  service:
-    name: usbguard.service
-    enabled: "{{ rhel9STIG_stigrule_258035_usbguard_enable_Enabled }}"
-  when:
-    - rhel9STIG_stigrule_258035_Manage
-    - result.rc == 0
-# R-258035 RHEL-09-291015
-- name: check if usbguard.service is installed
-  shell: ! systemctl list-unit-files | grep "^usbguard.service[ \t]\+"
-  changed_when: False
-  check_mode: no
-  register: result
-  failed_when: result.rc > 1
-- name: stigrule_258035_usbguard_start
-  service:
-    name: usbguard.service
-    state: "{{ rhel9STIG_stigrule_258035_usbguard_start_State }}"
-  when:
-    - rhel9STIG_stigrule_258035_Manage
-    - result.rc == 0
 # R-258036 RHEL-09-291020
 - name: check if usbguard.service is installed
   shell: ! systemctl list-unit-files | grep "^usbguard.service[ \t]\+"
@@ -1810,6 +1821,20 @@
   notify: with_faillock_enable
   when:
     - rhel9STIG_stigrule_258060_Manage
+# R-258063 RHEL-09-412010
+- name: stigrule_258063_tmux
+  yum:
+    name: tmux
+    state: "{{ rhel9STIG_stigrule_258063_tmux_State }}"
+  when: rhel9STIG_stigrule_258063_Manage
+# R-258066 RHEL-09-412025
+- name: stigrule_258066__etc_tmux_conf
+  lineinfile:
+    path: /etc/tmux.conf
+    line: "{{ rhel9STIG_stigrule_258066__etc_tmux_conf_Line }}"
+    create: yes
+  when:
+    - rhel9STIG_stigrule_258066_Manage
 # R-258069 RHEL-09-412040
 - name: stigrule_258069__etc_security_limits_conf
   lineinfile:
@@ -2000,6 +2025,15 @@
     create: yes
   when:
     - rhel9STIG_stigrule_258107_Manage
+# R-258108 RHEL-09-611095
+- name: stigrule_258108__etc_login_defs
+  lineinfile:
+    path: /etc/login.defs
+    regexp: '^PASS_MIN_LEN'
+    line: "{{ rhel9STIG_stigrule_258108__etc_login_defs_Line }}"
+    create: yes
+  when:
+    - rhel9STIG_stigrule_258108_Manage
 # R-258109 RHEL-09-611100
 - name: stigrule_258109__etc_security_pwquality_conf
   lineinfile:
@@ -2082,6 +2116,15 @@
     create: yes
   when:
     - rhel9STIG_stigrule_258117_Manage
+# R-258119 RHEL-09-611150
+- name: stigrule_258119__etc_login_defs
+  lineinfile:
+    path: /etc/login.defs
+    regexp: '^SHA_CRYPT_MIN_ROUNDS'
+    line: "{{ rhel9STIG_stigrule_258119__etc_login_defs_Line }}"
+    create: yes
+  when:
+    - rhel9STIG_stigrule_258119_Manage
 # R-258121 RHEL-09-611160
 - name: stigrule_258121__etc_opensc_conf
   lineinfile:
@@ -2221,6 +2264,16 @@
   notify: rsyslog_restart
   when:
     - rhel9STIG_stigrule_258144_Manage
+# R-258145 RHEL-09-652035
+- name: stigrule_258145__etc_audit_plugins_d_syslog_conf
+  lineinfile:
+    path: /etc/audit/plugins.d/syslog.conf
+    regexp: '^\s*active\s*='
+    line: "{{ rhel9STIG_stigrule_258145__etc_audit_plugins_d_syslog_conf_Line }}"
+    create: yes
+  notify: auditd_restart
+  when:
+    - rhel9STIG_stigrule_258145_Manage
 # R-258146 RHEL-09-652040
 - name: stigrule_258146__etc_rsyslog_conf
   lineinfile:
@@ -2449,7 +2502,7 @@
     state: "{{ rhel9STIG_stigrule_258175_audispd_plugins_State }}"
   when: rhel9STIG_stigrule_258175_Manage
 # R-258176 RHEL-09-654010
-- name: stigrule_258176__etc_audit_rules_d_audit_rules_execve_euid_b32
+- name : stigrule_258176__etc_audit_rules_d_audit_rules_execve_euid_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv$'
@@ -2457,7 +2510,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258176_Manage
 # R-258176 RHEL-09-654010
-- name: stigrule_258176__etc_audit_rules_d_audit_rules_execve_euid_b64
+- name : stigrule_258176__etc_audit_rules_d_audit_rules_execve_euid_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv$'
@@ -2465,7 +2518,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258176_Manage
 # R-258176 RHEL-09-654010
-- name: stigrule_258176__etc_audit_rules_d_audit_rules_execve_egid_b32
+- name : stigrule_258176__etc_audit_rules_d_audit_rules_execve_egid_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv$'
@@ -2473,7 +2526,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258176_Manage
 # R-258176 RHEL-09-654010
-- name: stigrule_258176__etc_audit_rules_d_audit_rules_execve_egid_b64
+- name : stigrule_258176__etc_audit_rules_d_audit_rules_execve_egid_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv$'
@@ -2481,7 +2534,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258176_Manage
 # R-258177 RHEL-09-654015
-- name: stigrule_258177__etc_audit_rules_d_audit_rules_chmod_b32
+- name : stigrule_258177__etc_audit_rules_d_audit_rules_chmod_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -2489,7 +2542,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258177_Manage
 # R-258177 RHEL-09-654015
-- name: stigrule_258177__etc_audit_rules_d_audit_rules_chmod_b64
+- name : stigrule_258177__etc_audit_rules_d_audit_rules_chmod_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -2497,7 +2550,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258177_Manage
 # R-258178 RHEL-09-654020
-- name: stigrule_258178__etc_audit_rules_d_audit_rules_chown_b32
+- name : stigrule_258178__etc_audit_rules_d_audit_rules_chown_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -2505,7 +2558,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258178_Manage
 # R-258178 RHEL-09-654020
-- name: stigrule_258178__etc_audit_rules_d_audit_rules_chown_b64
+- name : stigrule_258178__etc_audit_rules_d_audit_rules_chown_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -2513,7 +2566,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258178_Manage
 # R-258179 RHEL-09-654025
-- name: stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset
+- name : stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -2521,7 +2574,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258179_Manage
 # R-258179 RHEL-09-654025
-- name: stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset
+- name : stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -2529,7 +2582,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258179_Manage
 # R-258179 RHEL-09-654025
-- name: stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b32
+- name : stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod$'
@@ -2537,7 +2590,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258179_Manage
 # R-258179 RHEL-09-654025
-- name: stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b64
+- name : stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod$'
@@ -2545,7 +2598,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258179_Manage
 # R-258180 RHEL-09-654030
-- name: stigrule_258180__etc_audit_rules_d_audit_rules__usr_bin_umount
+- name : stigrule_258180__etc_audit_rules_d_audit_rules__usr_bin_umount
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -2553,7 +2606,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258180_Manage
 # R-258181 RHEL-09-654035
-- name: stigrule_258181__etc_audit_rules_d_audit_rules__usr_bin_chacl
+- name : stigrule_258181__etc_audit_rules_d_audit_rules__usr_bin_chacl
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -2561,7 +2614,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258181_Manage
 # R-258182 RHEL-09-654040
-- name: stigrule_258182__etc_audit_rules_d_audit_rules__usr_bin_setfacl
+- name : stigrule_258182__etc_audit_rules_d_audit_rules__usr_bin_setfacl
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -2569,7 +2622,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258182_Manage
 # R-258183 RHEL-09-654045
-- name: stigrule_258183__etc_audit_rules_d_audit_rules__usr_bin_chcon
+- name : stigrule_258183__etc_audit_rules_d_audit_rules__usr_bin_chcon
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -2577,7 +2630,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258183_Manage
 # R-258184 RHEL-09-654050
-- name: stigrule_258184__etc_audit_rules_d_audit_rules__usr_sbin_semanage
+- name : stigrule_258184__etc_audit_rules_d_audit_rules__usr_sbin_semanage
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -2585,7 +2638,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258184_Manage
 # R-258185 RHEL-09-654055
-- name: stigrule_258185__etc_audit_rules_d_audit_rules__usr_sbin_setfiles
+- name : stigrule_258185__etc_audit_rules_d_audit_rules__usr_sbin_setfiles
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -2593,7 +2646,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258185_Manage
 # R-258186 RHEL-09-654060
-- name: stigrule_258186__etc_audit_rules_d_audit_rules__usr_sbin_setsebool
+- name : stigrule_258186__etc_audit_rules_d_audit_rules__usr_sbin_setsebool
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged$'
@@ -2601,7 +2654,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258186_Manage
 # R-258187 RHEL-09-654065
-- name: stigrule_258187__etc_audit_rules_d_audit_rules_rename_b32
+- name : stigrule_258187__etc_audit_rules_d_audit_rules_rename_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
@@ -2609,7 +2662,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258187_Manage
 # R-258187 RHEL-09-654065
-- name: stigrule_258187__etc_audit_rules_d_audit_rules_rename_b64
+- name : stigrule_258187__etc_audit_rules_d_audit_rules_rename_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
@@ -2617,7 +2670,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258187_Manage
 # R-258188 RHEL-09-654070
-- name: stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EPERM_b32
+- name : stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EPERM_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -2625,7 +2678,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258188_Manage
 # R-258188 RHEL-09-654070
-- name: stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EPERM_b64
+- name : stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EPERM_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -2633,7 +2686,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258188_Manage
 # R-258188 RHEL-09-654070
-- name: stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EACCES_b32
+- name : stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EACCES_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -2641,7 +2694,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258188_Manage
 # R-258188 RHEL-09-654070
-- name: stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EACCES_b64
+- name : stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EACCES_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -2649,7 +2702,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258188_Manage
 # R-258189 RHEL-09-654075
-- name: stigrule_258189__etc_audit_rules_d_audit_rules_delete_module_b32
+- name : stigrule_258189__etc_audit_rules_d_audit_rules_delete_module_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -2657,7 +2710,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258189_Manage
 # R-258189 RHEL-09-654075
-- name: stigrule_258189__etc_audit_rules_d_audit_rules_delete_module_b64
+- name : stigrule_258189__etc_audit_rules_d_audit_rules_delete_module_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -2665,7 +2718,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258189_Manage
 # R-258190 RHEL-09-654080
-- name: stigrule_258190__etc_audit_rules_d_audit_rules_init_module_b32
+- name : stigrule_258190__etc_audit_rules_d_audit_rules_init_module_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -2673,7 +2726,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258190_Manage
 # R-258190 RHEL-09-654080
-- name: stigrule_258190__etc_audit_rules_d_audit_rules_init_module_b64
+- name : stigrule_258190__etc_audit_rules_d_audit_rules_init_module_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -2681,7 +2734,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258190_Manage
 # R-258191 RHEL-09-654085
-- name: stigrule_258191__etc_audit_rules_d_audit_rules__usr_bin_chage
+- name : stigrule_258191__etc_audit_rules_d_audit_rules__usr_bin_chage
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage$'
@@ -2689,7 +2742,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258191_Manage
 # R-258192 RHEL-09-654090
-- name: stigrule_258192__etc_audit_rules_d_audit_rules__usr_bin_chsh
+- name : stigrule_258192__etc_audit_rules_d_audit_rules__usr_bin_chsh
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -2697,7 +2750,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258192_Manage
 # R-258193 RHEL-09-654095
-- name: stigrule_258193__etc_audit_rules_d_audit_rules__usr_bin_crontab
+- name : stigrule_258193__etc_audit_rules_d_audit_rules__usr_bin_crontab
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab$'
@@ -2705,7 +2758,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258193_Manage
 # R-258194 RHEL-09-654100
-- name: stigrule_258194__etc_audit_rules_d_audit_rules__usr_bin_gpasswd
+- name : stigrule_258194__etc_audit_rules_d_audit_rules__usr_bin_gpasswd
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd$'
@@ -2713,7 +2766,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258194_Manage
 # R-258195 RHEL-09-654105
-- name: stigrule_258195__etc_audit_rules_d_audit_rules__usr_bin_kmod
+- name : stigrule_258195__etc_audit_rules_d_audit_rules__usr_bin_kmod
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules$'
@@ -2721,7 +2774,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258195_Manage
 # R-258196 RHEL-09-654110
-- name: stigrule_258196__etc_audit_rules_d_audit_rules__usr_bin_newgrp
+- name : stigrule_258196__etc_audit_rules_d_audit_rules__usr_bin_newgrp
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -2729,7 +2782,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258196_Manage
 # R-258197 RHEL-09-654115
-- name: stigrule_258197__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check
+- name : stigrule_258197__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check$'
@@ -2737,7 +2790,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258197_Manage
 # R-258198 RHEL-09-654120
-- name: stigrule_258198__etc_audit_rules_d_audit_rules__usr_bin_passwd
+- name : stigrule_258198__etc_audit_rules_d_audit_rules__usr_bin_passwd
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd$'
@@ -2745,7 +2798,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258198_Manage
 # R-258199 RHEL-09-654125
-- name: stigrule_258199__etc_audit_rules_d_audit_rules__usr_sbin_postdrop
+- name : stigrule_258199__etc_audit_rules_d_audit_rules__usr_sbin_postdrop
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -2753,7 +2806,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258199_Manage
 # R-258200 RHEL-09-654130
-- name: stigrule_258200__etc_audit_rules_d_audit_rules__usr_sbin_postqueue
+- name : stigrule_258200__etc_audit_rules_d_audit_rules__usr_sbin_postqueue
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -2761,7 +2814,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258200_Manage
 # R-258201 RHEL-09-654135
-- name: stigrule_258201__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent
+- name : stigrule_258201__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh$'
@@ -2769,7 +2822,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258201_Manage
 # R-258202 RHEL-09-654140
-- name: stigrule_258202__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign
+- name : stigrule_258202__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh$'
@@ -2777,7 +2830,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258202_Manage
 # R-258203 RHEL-09-654145
-- name: stigrule_258203__etc_audit_rules_d_audit_rules__usr_bin_su
+- name : stigrule_258203__etc_audit_rules_d_audit_rules__usr_bin_su
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change$'
@@ -2785,7 +2838,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258203_Manage
 # R-258204 RHEL-09-654150
-- name: stigrule_258204__etc_audit_rules_d_audit_rules__usr_bin_sudo
+- name : stigrule_258204__etc_audit_rules_d_audit_rules__usr_bin_sudo
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -2793,7 +2846,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258204_Manage
 # R-258205 RHEL-09-654155
-- name: stigrule_258205__etc_audit_rules_d_audit_rules__usr_bin_sudoedit
+- name : stigrule_258205__etc_audit_rules_d_audit_rules__usr_bin_sudoedit
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -2801,7 +2854,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258205_Manage
 # R-258206 RHEL-09-654160
-- name: stigrule_258206__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd
+- name : stigrule_258206__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -2809,7 +2862,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258206_Manage
 # R-258207 RHEL-09-654165
-- name: stigrule_258207__etc_audit_rules_d_audit_rules__usr_sbin_unix_update
+- name : stigrule_258207__etc_audit_rules_d_audit_rules__usr_sbin_unix_update
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -2817,7 +2870,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258207_Manage
 # R-258208 RHEL-09-654170
-- name: stigrule_258208__etc_audit_rules_d_audit_rules__usr_sbin_userhelper
+- name : stigrule_258208__etc_audit_rules_d_audit_rules__usr_sbin_userhelper
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -2825,7 +2878,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258208_Manage
 # R-258209 RHEL-09-654175
-- name: stigrule_258209__etc_audit_rules_d_audit_rules__usr_sbin_usermod
+- name : stigrule_258209__etc_audit_rules_d_audit_rules__usr_sbin_usermod
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod$'
@@ -2833,7 +2886,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258209_Manage
 # R-258210 RHEL-09-654180
-- name: stigrule_258210__etc_audit_rules_d_audit_rules__usr_bin_mount
+- name : stigrule_258210__etc_audit_rules_d_audit_rules__usr_bin_mount
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -2841,7 +2894,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258210_Manage
 # R-258211 RHEL-09-654185
-- name: stigrule_258211__etc_audit_rules_d_audit_rules__usr_sbin_init
+- name : stigrule_258211__etc_audit_rules_d_audit_rules__usr_sbin_init
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init$'
@@ -2849,7 +2902,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258211_Manage
 # R-258212 RHEL-09-654190
-- name: stigrule_258212__etc_audit_rules_d_audit_rules__usr_sbin_poweroff
+- name : stigrule_258212__etc_audit_rules_d_audit_rules__usr_sbin_poweroff
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff$'
@@ -2857,7 +2910,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258212_Manage
 # R-258213 RHEL-09-654195
-- name: stigrule_258213__etc_audit_rules_d_audit_rules__usr_sbin_reboot
+- name : stigrule_258213__etc_audit_rules_d_audit_rules__usr_sbin_reboot
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot$'
@@ -2865,7 +2918,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258213_Manage
 # R-258214 RHEL-09-654200
-- name: stigrule_258214__etc_audit_rules_d_audit_rules__usr_sbin_shutdown
+- name : stigrule_258214__etc_audit_rules_d_audit_rules__usr_sbin_shutdown
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown$'
@@ -2873,7 +2926,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258214_Manage
 # R-258217 RHEL-09-654215
-- name: stigrule_258217__etc_audit_rules_d_audit_rules__etc_sudoers
+- name : stigrule_258217__etc_audit_rules_d_audit_rules__etc_sudoers
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/sudoers -p wa -k identity$'
@@ -2881,7 +2934,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258217_Manage
 # R-258218 RHEL-09-654220
-- name: stigrule_258218__etc_audit_rules_d_audit_rules__etc_sudoers_d_
+- name : stigrule_258218__etc_audit_rules_d_audit_rules__etc_sudoers_d_
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/sudoers.d/ -p wa -k identity$'
@@ -2889,7 +2942,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258218_Manage
 # R-258219 RHEL-09-654225
-- name: stigrule_258219__etc_audit_rules_d_audit_rules__etc_group
+- name : stigrule_258219__etc_audit_rules_d_audit_rules__etc_group
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/group -p wa -k identity$'
@@ -2897,7 +2950,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258219_Manage
 # R-258220 RHEL-09-654230
-- name: stigrule_258220__etc_audit_rules_d_audit_rules__etc_gshadow
+- name : stigrule_258220__etc_audit_rules_d_audit_rules__etc_gshadow
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/gshadow -p wa -k identity$'
@@ -2905,7 +2958,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258220_Manage
 # R-258221 RHEL-09-654235
-- name: stigrule_258221__etc_audit_rules_d_audit_rules__etc_security_opasswd
+- name : stigrule_258221__etc_audit_rules_d_audit_rules__etc_security_opasswd
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/security/opasswd -p wa -k identity$'
@@ -2913,7 +2966,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258221_Manage
 # R-258222 RHEL-09-654240
-- name: stigrule_258222__etc_audit_rules_d_audit_rules__etc_passwd
+- name : stigrule_258222__etc_audit_rules_d_audit_rules__etc_passwd
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/passwd -p wa -k identity$'
@@ -2921,7 +2974,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258222_Manage
 # R-258223 RHEL-09-654245
-- name: stigrule_258223__etc_audit_rules_d_audit_rules__etc_shadow
+- name : stigrule_258223__etc_audit_rules_d_audit_rules__etc_shadow
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /etc/shadow -p wa -k identity$'
@@ -2929,7 +2982,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258223_Manage
 # R-258224 RHEL-09-654250
-- name: stigrule_258224__etc_audit_rules_d_audit_rules__var_log_faillock
+- name : stigrule_258224__etc_audit_rules_d_audit_rules__var_log_faillock
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /var/log/faillock -p wa -k logins$'
@@ -2937,7 +2990,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258224_Manage
 # R-258225 RHEL-09-654255
-- name: stigrule_258225__etc_audit_rules_d_audit_rules__var_log_lastlog
+- name : stigrule_258225__etc_audit_rules_d_audit_rules__var_log_lastlog
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /var/log/lastlog -p wa -k logins$'
@@ -2945,7 +2998,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258225_Manage
 # R-258226 RHEL-09-654260
-- name: stigrule_258226__etc_audit_rules_d_audit_rules__var_log_tallylog
+- name : stigrule_258226__etc_audit_rules_d_audit_rules__var_log_tallylog
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-w /var/log/tallylog -p wa -k logins$'
@@ -2953,7 +3006,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258226_Manage
 # R-258227 RHEL-09-654265
-- name: stigrule_258227__etc_audit_rules_d_audit_rules_f2
+- name : stigrule_258227__etc_audit_rules_d_audit_rules_f2
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-f 2$'
@@ -2961,7 +3014,7 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258227_Manage
 # R-258228 RHEL-09-654270
-- name: stigrule_258228__etc_audit_rules_d_audit_rules_loginuid_immutable
+- name : stigrule_258228__etc_audit_rules_d_audit_rules_loginuid_immutable
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^--loginuid-immutable$'
@@ -2969,22 +3022,34 @@
   notify: auditd_restart
   when: rhel9STIG_stigrule_258228_Manage
 # R-258229 RHEL-09-654275
-- name: stigrule_258229__etc_audit_rules_d_audit_rules_e2
+- name : stigrule_258229__etc_audit_rules_d_audit_rules_e2
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
     regexp: '^-e 2$'
     line: "{{ rhel9STIG_stigrule_258229__etc_audit_rules_d_audit_rules_e2_Line }}"
   notify: auditd_restart
   when: rhel9STIG_stigrule_258229_Manage
-# R-258234 RHEL-09-215100
+# R-258234 RHEL-09-672010
 - name: stigrule_258234_crypto_policies
   yum:
     name: crypto-policies
     state: "{{ rhel9STIG_stigrule_258234_crypto_policies_State }}"
   when: rhel9STIG_stigrule_258234_Manage
-# R-272488 RHEL-09-215101
-- name: stigrule_272488_postfix
-  yum:
-    name: postfix
-    state: "{{ rhel9STIG_stigrule_272488_postfix_State }}"
-  when: rhel9STIG_stigrule_272488_Manage
+# R-258239 RHEL-09-672035
+- name: stigrule_258239__etc_pki_tls_openssl_cnf
+  lineinfile:
+    path: /etc/pki/tls/openssl.cnf
+    line: "{{ rhel9STIG_stigrule_258239__etc_pki_tls_openssl_cnf_Line }}"
+    create: yes
+  when:
+    - rhel9STIG_stigrule_258239_Manage
+# R-258240 RHEL-09-672040
+- name: stigrule_258240__etc_crypto_policies_back_ends_opensslcnf_config
+  lineinfile:
+    path: /etc/crypto-policies/back-ends/opensslcnf.config
+    regexp: '^\s*TLS.MinProtocol\s*='
+    line: "{{ rhel9STIG_stigrule_258240__etc_crypto_policies_back_ends_opensslcnf_config_Line }}"
+    create: yes
+  notify: do_reboot
+  when:
+    - rhel9STIG_stigrule_258240_Manage

collections/ansible_collections/demo/patching/roles/report_linux/tasks/main.yml

@@ -31,7 +31,3 @@
 - name: Display link to inventory report
   ansible.builtin.debug:
     msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html"
-
-- name: Display link with a new path
-  ansible.builtin.debug:
-    msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html"

collections/requirements.yml

@@ -1,6 +1,6 @@
 ---
-# required collections are installed in the Product Demos EE.
-# additional collections needed during testing can be added here.
-collections: []
-
+collections:
+  - name: infra.aap_configuration
+    type: git
+    source: https://github.com/redhat-cop/infra.aap_configuration.git
 ...

common/setup.yml

@@ -1,11 +1,13 @@
 ---
 controller_execution_environments:
+  - name: product-demos
+    image: quay.io/acme_corp/product-demos-ee:latest
   - name: Cloud Services Execution Environment
     image: quay.io/scottharwell/cloud-ee:latest
 
 controller_organizations:
   - name: Default
-    default_environment: Product Demos EE
+    default_environment: product-demos
 
 controller_projects:
   - name: Ansible Cloud Content Lab - AWS
@@ -44,13 +46,14 @@ controller_inventory_sources:
         - tag:Name
       compose:
         ansible_host: public_ip_address
-        ansible_user: ec2-user
+        ansible_user: 'ec2-user'
       groups:
         cloud_aws: true
-        os_linux: "platform_details == 'Red Hat Enterprise Linux'"
-        os_windows: "platform_details == 'Windows'"
-
+        os_linux: tags.blueprint.startswith('rhel')
+        os_windows: tags.blueprint.startswith('win')
       keyed_groups:
+        - key: platform
+          prefix: os
         - key: tags.blueprint
           prefix: blueprint
         - key: tags.owner
@@ -59,8 +62,6 @@ controller_inventory_sources:
           prefix: purpose
         - key: tags.deployment
           prefix: deployment
-        - key: tags.Compliance
-          separator: ''
 
 controller_groups:
   - name: cloud_aws
@@ -72,8 +73,6 @@ controller_groups:
     variables:
       ansible_connection: winrm
       ansible_winrm_transport: credssp
-      ansible_winrm_server_cert_validation: ignore
-      ansible_port: 5986
 
 controller_templates:
   - name: SUBMIT FEEDBACK
@@ -277,44 +276,6 @@ controller_templates:
           variable: _hosts
           required: true
 
-  - name: Cloud / AWS / Resize EC2
-    job_type: run
-    organization: Default
-    credentials:
-      - AWS
-      - Controller Credential
-    project: Ansible Product Demos
-    playbook: cloud/resize_ec2.yml
-    inventory: Demo Inventory
-    notification_templates_started: Telemetry
-    notification_templates_success: Telemetry
-    notification_templates_error: Telemetry
-    survey_enabled: true
-    survey:
-      name: ''
-      description: ''
-      spec:
-        - question_name: AWS Region
-          type: multiplechoice
-          variable: aws_region
-          required: true
-          default: us-east-1
-          choices:
-            - us-east-1
-            - us-east-2
-            - us-west-1
-            - us-west-2
-        - question_name: Specify target hosts
-          type: text
-          variable: _hosts
-          required: true
-
-        - question_name: Specify target instance type
-          type: text
-          variable: instance_type
-          default: t3a.medium
-          required: true
-
 controller_notifications:
   - name: Telemetry
     organization: Default
@@ -323,7 +284,7 @@ controller_notifications:
       url: https://script.google.com/macros/s/AKfycbzxUObvCJ6ZbzfJyicw4RvxlGE3AZdrK4AR5-TsedCYd7O-rtTOVjvsRvqyb3rx6B0g8g/exec
       http_method: POST
       headers: {}
-
-controller_settings:
-  - name: SESSION_COOKIE_AGE
-    value: 180000
+# Has this moved out of controller?
+# controller_settings:
+#   - name: SESSION_COOKIE_AGE
+#     value: 180000

execution_environments/.gitattributes

@@ -0,0 +1 @@
+openshift-clients-4.16.0-202408021139.p0.ge8fb3c0.assembly.stream.el9.x86_64.rpm filter=lfs diff=lfs merge=lfs -text

execution_environments/README.md

@@ -1,16 +1,14 @@
 # Execution Environment Images for Ansible Product Demos
 
-When the Ansible Product Demos setup job template is run, it creates a number of execution environment definitions on the automation controller.  The content of this directory is used to create and update the default APD execution environment images defined during the setup process, [quay.io/ansible-product-demos/apd-ee-25](quay.io/ansible-product-demos/apd-ee-25).
+When the Ansible Product Demos setup job template is run, it creates a number of execution environment definitions on the automation controller.  The content of this directory is used to create and update the default execution environment images defined during the setup process.
 
-Currently the execution environment image is created manually using the `build.sh` script, with a future goal of building in a CI pipeline when the EE definition or requirements are updated.
+Currently these execution environment images are created manually using the `build.sh` script, with a future goal of building in a CI pipeline when any EE definitions or requirements are updated.
 
 ## Building the execution environment images
 
 1. `podman login registry.redhat.io` in order to pull the base EE images
-2. `export ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN="<token>"` obtained from [Automation Hub](https://console.redhat.com/ansible/automation-hub/token)
-3. `export ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN="<token>"` (same token as above)
-4. `./build.sh` to build the EE image
+2. `./build.sh` to build the EE images and add them to your local podman image cache
 
-The `build.sh` script creates a multi-architecture EE image for the amd64 (x86_64) and arm64 (aarch64) platforms.  It does so by creating the build context using `ansible-builder create`, then creating a podman manifest definition and building an EE image for each supported platform.
+The `build.sh` script creates multiple EE images, each based on the ee-minimal image that comes with a different minor version of AAP.  These images are created in the "quay.io/ansible-product-demos" namespace.  Currently the script builds the following images:
 
-NOTE: Podman will use qemu to emulate the non-native architecture at build time, so the build must be performed on a system which includes the qemu-user-static package.  Builds have only been tested on MacOS using podman-desktop with the native Fedora-based podman machine.
+* quay.io/ansible-product-demos/apd-ee-24

execution_environments/apd-ee-24.yml

@@ -0,0 +1,32 @@
+---
+version: 3
+images:
+  base_image:
+    name: registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel9:latest
+
+dependencies:
+  galaxy: requirements.yml
+
+additional_build_files:
+  # https://access.redhat.com/solutions/7024259
+  # download from access.redhat.com -> Downloads -> OpenShift Container Platform -> Packages
+  - src: openshift-clients-4.16.0-202408021139.p0.ge8fb3c0.assembly.stream.el9.x86_64.rpm
+    dest: rpms
+  - src: ansible.cfg
+    dest: configs
+
+options:
+  package_manager_path: /usr/bin/microdnf
+
+additional_build_steps:
+  prepend_base:
+    - RUN $PYCMD -m pip install --upgrade pip setuptools
+    - COPY _build/rpms/openshift-clients*.rpm /tmp/openshift-clients.rpm
+    - RUN $PKGMGR -y update && $PKGMGR -y install bash-completion && $PKGMGR clean all
+    - RUN rpm -ivh /tmp/openshift-clients.rpm && rm /tmp/openshift-clients.rpm
+  prepend_galaxy:
+    - ADD _build/configs/ansible.cfg /etc/ansible/ansible.cfg
+    - ARG ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN
+    - ARG ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN
+
+...

execution_environments/apd-ee-25.yml

@@ -3,16 +3,15 @@ version: 3
 images:
   base_image:
     name: registry.redhat.io/ansible-automation-platform-25/ee-minimal-rhel9:latest
+
 dependencies:
   galaxy: requirements.yml
-  system:
-    - python3.11-devel [platform:rpm]
-  python:
-    - pywinrm>=0.4.3
-  python_interpreter:
-    python_path: /usr/bin/python3.11
 
 additional_build_files:
+  # https://access.redhat.com/solutions/7024259
+  # download from access.redhat.com -> Downloads -> OpenShift Container Platform -> Packages
+  - src: openshift-clients-4.16.0-202408021139.p0.ge8fb3c0.assembly.stream.el9.x86_64.rpm
+    dest: rpms
   - src: ansible.cfg
     dest: configs
 
@@ -21,17 +20,13 @@ options:
 
 additional_build_steps:
   prepend_base:
-    - ARG OPENSHIFT_CLIENT_RPM
     - RUN $PYCMD -m pip install --upgrade pip setuptools
+    - COPY _build/rpms/openshift-clients*.rpm /tmp/openshift-clients.rpm
     - RUN $PKGMGR -y update && $PKGMGR -y install bash-completion && $PKGMGR clean all
-    # microdnf doesn't support URL or local file paths to RPMs, use rpm as a workaround
-    - RUN curl -o /tmp/openshift-clients.rpm $OPENSHIFT_CLIENT_RPM && rpm -Uvh /tmp/openshift-clients.rpm && rm -f /tmp/openshift-clients.rpm
+    - RUN rpm -ivh /tmp/openshift-clients.rpm && rm /tmp/openshift-clients.rpm
   prepend_galaxy:
     - ADD _build/configs/ansible.cfg /etc/ansible/ansible.cfg
     - ARG ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN
     - ARG ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN
-  append_final:
-    - RUN curl -o /etc/yum.repos.d/hasicorp.repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo &&
-      microdnf install -y terraform
 
 ...

execution_environments/build.sh

@@ -1,61 +1,26 @@
 #!/bin/bash
 
-if [[ -z $ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN || -z $ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN ]]
-then
-    echo "A valid Automation Hub token is required, Set the following environment variables before continuing"
-    echo "export ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN=<token>"
-    echo "export ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN=<token>"
-    exit 1
-fi
+# array of images to build
+ee_images=(
+    "apd-ee-24"
+)
 
-# log in to pull the base EE image
-if ! podman login --get-login registry.redhat.io > /dev/null
-then
-    echo "Run 'podman login registry.redhat.io' before continuing"
-    exit 1
-fi
-
-# create EE definition
-rm -rf ./context/*
-ansible-builder create \
-    --file apd-ee-25.yml \
-    --context ./context \
-    -v 3 | tee ansible-builder.log
-
-# remove existing manifest if present
-_tag=$(date +%Y%m%d)
-podman manifest rm quay.io/ansible-product-demos/apd-ee-25:${_tag}
-
-# create manifest for EE image
-podman manifest create quay.io/ansible-product-demos/apd-ee-25:${_tag}
-
-# for the openshift-clients RPM, microdnf doesn't support URL-based installs
-# and HTTP doesn't support file globs for GETs, use multiple steps to determine
-# the correct RPM URL for each machine architecture
-for arch in amd64 arm64
+for ee in "${ee_images[@]}"
 do
-    _baseurl=https://mirror.openshift.com/pub/openshift-v4/${arch}/dependencies/rpms/4.18-el9-beta/
-    _rpm=$(curl -s ${_baseurl} | grep openshift-clients-4 | grep href | cut -d\" -f2)
-
-    # build EE for multiple architectures from the EE context
-    pushd ./context/ > /dev/null
-    podman build --platform linux/${arch} \
+    # build EE image
+    ansible-builder build \
+        --file ${ee}.yml \
+        --context ./ee_contexts/${ee} \
         --build-arg ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN \
         --build-arg ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN \
-      --build-arg OPENSHIFT_CLIENT_RPM="${_baseurl}${_rpm}" \
-      --manifest quay.io/ansible-product-demos/apd-ee-25:${_tag} . \
-      | tee podman-build-${arch}.log
-    popd > /dev/null
+        -v 3 \
+        -t quay.io/ansible-product-demos/${ee}:$(date +%Y%m%d)
+
+    if [[ $? == 0 ]]
+    then
+        # tag EE image as latest
+        podman tag \
+            quay.io/ansible-product-demos/${ee}:$(date +%Y%m%d) \
+            quay.io/ansible-product-demos/${ee}:latest
+    fi
 done
-
-# inspect manifest content
-#podman manifest inspect quay.io/ansible-product-demos/apd-ee-25:${_tag}
-
-# tag manifest as latest
-#podman tag quay.io/ansible-product-demos/apd-ee-25:${_tag} quay.io/ansible-product-demos/apd-ee-25:latest
-
-# push all manifest content to repository
-# using --all is important here, it pushes all content and not
-# just the native platform content
-#podman manifest push --all quay.io/ansible-product-demos/apd-ee-25:${_tag}
-#podman manifest push --all quay.io/ansible-product-demos/apd-ee-25:latest

execution_environments/openshift-clients-4.16.0-202408021139.p0.ge8fb3c0.assembly.stream.el9.x86_64.rpm

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f637eb0440f14f1458800c7a9012adcb9b58eb2131c02f64dfa4ca515e182093
+size 54960859

execution_environments/requirements.yml

@@ -1,21 +1,14 @@
 ---
 collections:
-  # AAP config as code
   - name: ansible.controller
-    version: ">=4.6.0"
-  # TODO this fails trying to install a different version of
-  # the python-systemd package
-  # - name: ansible.eda  # fails trying to install systemd-python package
-  #   version: ">=2.1.0"
-  - name: ansible.hub
-    version: ">=1.0.0"
-  - name: ansible.platform
-    version: ">=2.5.0"
+    version: ">=4.5.5"
   - name: infra.ah_configuration
     version: ">=2.0.6"
   - name: infra.controller_configuration
-    version: ">=2.11.0"
-  # linux demos
+    version: ">=2.9.0"
+  - name: redhat_cop.controller_configuration
+    version: ">=2.3.1"
+  # linux
   - name: ansible.posix
     version: ">=1.5.4"
   - name: community.general
@@ -26,22 +19,20 @@ collections:
     version: ">=1.2.2"
   - name: redhat.rhel_system_roles
     version: ">=1.23.0"
-  # windows demos
-  - name: microsoft.ad
-    version: "1.9"
+  # windows
   - name: ansible.windows
     version: ">=2.3.0"
   - name: chocolatey.chocolatey
     version: ">=1.5.1"
   - name: community.windows
     version: ">=2.2.0"
-  # cloud demos
+  # cloud
   - name: amazon.aws
     version: ">=7.5.0"
-  # satellite demos
+  # satellite
   - name: redhat.satellite
     version: ">=4.0.0"
-  # network demos
+  # network
   - name: ansible.netcommon
     version: ">=6.0.0"
   - name: cisco.ios
@@ -50,20 +41,12 @@ collections:
     version: ">=8.0.0"
   - name: cisco.nxos
     version: ">=7.0.0"
-  - name: network.backup
-    version: ">=3.0.0"
-  # TODO on 2.5 ee-minimal-rhel9 this tries to build and install
-  # a different version of python netifaces, which fails
-  # - name: infoblox.nios_modules
-  #   version: ">=1.6.1"
-  # openshift demos
-  - name: ansible.utils
-    version: ">=6.0.0"
+  - name: infoblox.nios_modules
+    version: ">=1.6.1"
+  # openshift
   - name: kubernetes.core
     version: ">=4.0.0"
   - name: redhat.openshift
     version: ">=3.0.1"
   - name: redhat.openshift_virtualization
     version: ">=1.4.0"
-
-...

linux/compliance-enforce.yml

@@ -13,3 +13,4 @@
     - name: Run Compliance Profile
       ansible.builtin.include_role:
         name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"
+...

linux/compliance-report.yml

@@ -9,17 +9,9 @@
       - openscap-utils
       - scap-security-guide
     compliance_profile: ospp
-    # install httpd and use it to host compliance report
     use_httpd: true
 
   tasks:
-    - name: Assert memory meets minimum requirements
-      ansible.builtin.assert:
-        that:
-          - ansible_memfree_mb >= 1000
-          - ansible_memtotal_mb >= 2000
-        fail_msg: "OpenSCAP is a memory intensive operation, the specified enepoint does not meet minimum requirements. See https://access.redhat.com/articles/6999111 for details."
-
     - name: Get our facts straight
       ansible.builtin.set_fact:
         _profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}'
@@ -52,9 +44,7 @@
             state: enabled
             immediate: true
             permanent: true
-          when:
-            - "'firewalld.service' in ansible_facts.services"
-            - ansible_facts.services["firewalld.service"].state == "running"
+          when: "'firewalld.service' in ansible_facts.services"
 
         - name: Disable httpd welcome page
           ansible.builtin.file:
@@ -90,28 +80,11 @@
         group: root
         mode: 0644
 
-    - name: Debug output for report
-      ansible.builtin.debug:
-        msg: "http://{{ ansible_host }}/oscap-reports/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html"
-      when: use_httpd | bool
-
-    - name: Tag instance as {{ compliance_profile | upper }}_OUT_OF_COMPLIANCE  # noqa name[template]
-      delegate_to: localhost
-      amazon.aws.ec2_tag:
-        region: "{{ placement.region }}"
-        resource: "{{ instance_id }}"
-        state: present
-        tags:
-          Compliance: "{{ compliance_profile | upper }}_OUT_OF_COMPLIANCE"
-      when:
-        - _oscap.rc == 2
-        - instance_id is defined
-      become: false
-
   handlers:
     - name: Restart httpd
       ansible.builtin.service:
         name: httpd
         state: restarted
         enabled: true
+
 ...

linux/patching.yml

@@ -11,7 +11,6 @@
       ansible.builtin.yum:
         name: yum-utils
         state: installed
-      check_mode: false
 
     - name: Include patching role
       ansible.builtin.include_role:
@@ -46,16 +45,6 @@
             name: firewalld
             state: started
 
-        - name: Enable firewall http service
-          ansible.posix.firewalld:
-            service: '{{ item }}'
-            state: enabled
-            immediate: true
-            permanent: true
-          loop:
-            - http
-            - https
-
         - name: Build report server
           ansible.builtin.include_role:
             name: "{{ item }}"

linux/remediate_out_of_compliance.yml

@@ -1,13 +0,0 @@
----
-- name: Apply compliance profile as part of workflow.
-  hosts: "{{ compliance_profile | default('stig') | upper }}_OUT_OF_COMPLIANCE"
-  become: true
-  tasks:
-    - name: Check os type
-      ansible.builtin.assert:
-        that: "ansible_os_family == 'RedHat'"
-
-    - name: Run Compliance Profile
-      ansible.builtin.include_role:
-        name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"
-...

linux/setup.yml

@@ -334,33 +334,11 @@ controller_templates:
             - full
           required: true
 
-  - name: "LINUX / Compliance Enforce"
-    job_type: run
-    inventory: "Demo Inventory"
-    project: "Ansible Product Demos"
-    playbook: "linux/remediate_out_of_compliance.yml"
-    notification_templates_started: Telemetry
-    notification_templates_success: Telemetry
-    notification_templates_error: Telemetry
-    credentials:
-      - "Demo Credential"
-    extra_vars:
-      sudo_remove_nopasswd: false
-    survey_enabled: true
-    survey:
-      name: ''
-      description: ''
-      spec:
-        - question_name: Server Name or Pattern
-          type: text
-          variable: _hosts
-          required: true
-
   - name: "LINUX / DISA STIG"
     job_type: run
     inventory: "Demo Inventory"
     project: "Ansible Product Demos"
-    playbook: "linux/disa_stig.yml"
+    playbook: "linux/compliance.yml"
     notification_templates_started: Telemetry
     notification_templates_success: Telemetry
     notification_templates_error: Telemetry
@@ -382,13 +360,12 @@ controller_templates:
     job_type: run
     inventory: "Demo Inventory"
     project: "Ansible Product Demos"
-    playbook: "linux/multi_profile_compliance.yml"
+    playbook: "linux/compliance-enforce.yml"
     notification_templates_started: Telemetry
     notification_templates_success: Telemetry
     notification_templates_error: Telemetry
     credentials:
       - "Demo Credential"
-      - "AWS"
     extra_vars:
       # used by CIS profile role
       sudo_require_authentication: false
@@ -429,13 +406,12 @@ controller_templates:
     job_type: run
     inventory: "Demo Inventory"
     project: "Ansible Product Demos"
-    playbook: "linux/multi_profile_compliance_report.yml"
+    playbook: "linux/compliance-report.yml"
     notification_templates_started: Telemetry
     notification_templates_success: Telemetry
     notification_templates_error: Telemetry
     credentials:
       - "Demo Credential"
-      - "AWS"
     survey_enabled: true
     survey:
       name: ''
@@ -516,52 +492,4 @@ controller_templates:
           variable: application
           required: true
 
-controller_workflows:
-  - name: "Linux / Compliance Workflow"
-    description: A workflow to generate a SCAP report and run enforce on findings
-    organization: Default
-    notification_templates_started: Telemetry
-    notification_templates_success: Telemetry
-    notification_templates_error: Telemetry
-    survey_enabled: true
-    survey:
-      name: ''
-      description: ''
-      spec:
-        - question_name: Server Name or Pattern
-          type: text
-          default: aws_rhel*
-          variable: _hosts
-          required: true
-        - question_name: Compliance Profile
-          type: multiplechoice
-          variable: compliance_profile
-          required: true
-          choices:
-            - cis
-            - cjis
-            - cui
-            - hipaa
-            - ospp
-            - pci_dss
-            - stig
-        - question_name: Use httpd on the target host(s) to access reports locally?
-          type: multiplechoice
-          variable: use_httpd
-          required: true
-          choices:
-            - "true"
-            - "false"
-          default: "true"
-    simplified_workflow_nodes:
-      - identifier: Compliance Report
-        unified_job_template: "LINUX / Multi-profile Compliance Report"
-        success_nodes:
-          - Update Inventory
-      - identifier: Update Inventory
-        unified_job_template: AWS Inventory
-        success_nodes:
-          - Compliance Enforce
-      - identifier: Compliance Enforce
-        unified_job_template: "LINUX / Compliance Enforce"
 ...

multi_select_setup.yml

@@ -15,5 +15,3 @@
     - name: Default Components
       ansible.builtin.include_role:
         name: "infra.controller_configuration.job_launch"
-      vars:
-        controller_dependency_check: false  # noqa: var-naming[no-role-prefix]

network/README.md

@@ -12,8 +12,6 @@
 This category of demos shows examples of network operations and management with Ansible Automation Platform. The list of demos can be found below. See the [Suggested Usage](#suggested-usage) section of this document for recommendations on how to best use these demos.
 - [**NETWORK / Configuration**](https://github.com/nleiva/ansible-net-modules/blob/main/main.yml) - Deploy golden configurations for different resources to Cisco IOS, IOSXR, and NXOS.
 
-To run the demos, deploy them using Infrastructure as Code, run either the "Product Demos | Multi-demo setup" or the "Product Demos | Single demo setup" and select 'Network' in the "Product Demos" deployment, or utilize the steps in the repo level README.
-
 ### Project
 
 These demos leverage playbooks from a [git repo](https://github.com/nleiva/ansible-net-modules) that is added as the **`Network Golden Configs`** Project in your Ansible Controller. Review this repo for the playbooks to configure different resources and network config templates that will be configured.
@@ -27,7 +25,7 @@ A **`Demo Inventory`** is created when setting up these demos and a dynamic sour
 ## Suggested Usage
 
 **NETWORK / Report** - Use this job to gather facts from Cisco Network devices and create a report with information about the device such as code version, along with configuration information about layers 1, 2, and 3.  This shows how Ansible can be used to gather facts and build reports.  Generating html pages is just one potential output.  This information can be used in a number of ways, such as integration with different network management tools.
-  - to run this you will first need to run the **`Deploy Cloud Stack in AWS`** job template to deploy the report server.  If using a demo.redhat.com Product Demos instance you should use the public key provided in the demo page in the Bastion Host Credentials section. If you are using a different environment, you may need to update the "Demo Credential".
+  - to run this you will first need to run the **`Deploy Cloud Stack in AWS`** job template to deploy the report server.  This will ask you for an SSH public key.  After running this playbook, you will need to add the SSH private key to the **`Demo Credential`** before you can run the report, so it can connect to the report server.
 
 **NETWORK / Configuration** - Use this job to execute different [Ansible Network Resource Modules](https://docs.ansible.com/ansible/latest/network/user_guide/network_resource_modules.html) to deploy golden configs. Below is a list of the different resources the can be configured with a link to their golden config.
   - [acls](https://github.com/nleiva/ansible-net-modules/blob/main/acls.cfg)
@@ -79,11 +77,3 @@ A **`Demo Inventory`** is created when setting up these demos and a dynamic sour
   },
   "_ansible_no_log": false
 }
-
-**NETWORK / BACKUP** - Use this job to show how Ansible can be used to backup network devices using Red Hat validated content. Job Template will create a backup file on the reports server where they can be viewed as a webpage.  This is just an example - backups can also be sent to other repositories such as a Git repo (Github, Gitlab, etc).
-
-To run this demo, you will need to complete a couple of prerequisites:
-  - to run this you will first need to run the **`Deploy Cloud Stack in AWS`** job template to deploy the report server.
-  - If using a demo.redhat.com Product Demos instance you should use the public key provided in the demo page in the 'Bastion Host Credentials' section. If you are using a different environment, you may need to update the "Demo Credential".
-  - This works with Product Demos for AAP v2.5; which includes the "Product Demos EE" includes the \
-  network.backup collection.

network/backup.yml

@@ -1,63 +0,0 @@
----
-- name: Create network reports server
-  hosts: reports
-  become: true
-
-  tasks:
-    - name: Build report server
-      ansible.builtin.include_role:
-        name: "{{ item }}"
-      loop:
-        - demo.patching.report_server
-
-    - name: Create a backup directory if it does not exist
-      run_once: true
-      ansible.builtin.file:
-        path: "/var/www/html/backups"
-        state: directory
-        owner: ec2-user
-        group: ec2-user
-        mode: '0755'
-
-- name: Play to Backup Cisco Always-On Network Devices
-  hosts: routers
-  gather_facts: false
-  vars:
-    report_server: reports
-    backup_dir: "/tmp/network_backups"
-
-  tasks:
-    - name: Network Backup and Resource Manager
-      ansible.builtin.include_role:
-        name: network.backup.run
-      vars:  # noqa var-naming[no-role-prefix]
-        operation: backup
-        type: full
-        data_store:
-          local: "{{ backup_dir }}"
-
-    # This task removes the Current configuration... from the top of IOS routers show run
-    - name: Remove non config lines - regexp
-      delegate_to: localhost
-      ansible.builtin.lineinfile:
-        path: "{{ backup_dir }}/{{ inventory_hostname }}.txt"
-        line: "Building configuration..."
-        state: absent
-
-    - name: Copy backup file
-      delegate_to: "{{ report_server }}"
-      ansible.builtin.copy:
-        src: "{{ backup_dir }}/{{ inventory_hostname }}.txt"
-        dest: "/var/www/html/backups/{{ inventory_hostname }}.cfg"
-        backup: true
-        owner: ec2-user
-        group: ec2-user
-        mode: '0644'
-
-    - name: Review backup on report server
-      delegate_to: "{{ report_server }}"
-      run_once: true
-      ansible.builtin.debug:
-        msg: "To review backed up configurations, go to http://{{ ansible_host }}/backups/"
-
-...

network/hosts

@@ -1,42 +0,0 @@
-[ios]
-sandbox-iosxe-latest-1.cisco.com
-
-[ios:vars]
-ansible_network_os=cisco.ios.ios
-ansible_password=C1sco12345
-ansible_ssh_password=C1sco12345
-ansible_port=22
-ansible_user=admin
-
-[iosxr]
-sandbox-iosxr-1.cisco.com
-
-[iosxr:vars]
-ansible_network_os=cisco.iosxr.iosxr
-ansible_password=C1sco12345
-ansible_ssh_pass=C1sco12345
-ansible_port=22
-ansible_user=admin
-
-[nxos]
-sbx-nxos-mgmt.cisco.com
-sandbox-nxos-1.cisco.com
-
-[nxos:vars]
-ansible_network_os=cisco.nxos.nxos
-ansible_password=Admin_1234!
-ansible_ssh_pass=Admin_1234!
-ansible_port=22
-ansible_user=admin
-
-[routers]
-sbx-nxos-mgmt.cisco.com
-sandbox-nxos-1.cisco.com
-sandbox-iosxr-1.cisco.com
-sandbox-iosxe-latest-1.cisco.com
-
-[routers:vars]
-ansible_connection=ansible.netcommon.network_cli
-
-[webservers]
-reports ansible_host=ec2-18-118-189-162.us-east-2.compute.amazonaws.com ansible_user=ec2-user

network/setup.yml

@@ -11,9 +11,7 @@ controller_projects:
     scm_type: git
     scm_url: https://github.com/nleiva/ansible-net-modules
     update_project: true
-    wait: false
-    controller_request_timeout: 20
-    controller_configuration_async_retries: 40
+    wait: true
     default_environment: Networking Execution Environment
 
 controller_inventories:
@@ -25,8 +23,8 @@ controller_inventory_sources:
     source: scm
     inventory: Demo Inventory
     overwrite: true
-    source_project: Ansible Product Demos
-    source_path: network/hosts
+    source_project: Network Golden Configs
+    source_path: hosts
 
 controller_templates:
   - name: NETWORK / Configuration
@@ -35,8 +33,6 @@ controller_templates:
     survey_enabled: true
     project: Network Golden Configs
     playbook: main.yml
-    credentials:
-      - "Demo Credential"
     execution_environment: Networking Execution Environment
     notification_templates_started: Telemetry
     notification_templates_success: Telemetry
@@ -99,23 +95,9 @@ controller_templates:
     inventory: Demo Inventory
     project: "Ansible Product Demos"
     playbook: "network/compliance.yml"
-    credentials:
-      - "Demo Credential"
     notification_templates_started: Telemetry
     notification_templates_success: Telemetry
     notification_templates_error: Telemetry
     use_fact_cache: true
     ask_job_type_on_launch: true
     survey_enabled: true
-
-  - name: "NETWORK / Backup"
-    job_type: run
-    organization: Default
-    inventory: Demo Inventory
-    project: "Ansible Product Demos"
-    playbook: "network/backup.yml"
-    credentials:
-      - "Demo Credential"
-    notification_templates_started: Telemetry
-    notification_templates_success: Telemetry
-    notification_templates_error: Telemetry

openshift/README.md

@@ -14,6 +14,10 @@ This category of demos shows examples of OpenShift operations and management wit
 - [**OpenShift / Dev Spaces**](devspaces.yml) - Install and deploy dev spaces on OCP cluster. After this job has run successfully, login to your OCP cluster, click the application icon (to the left of the bell icon in the top right) to access Dev Spaces
 - [**OpenShift / GitLab**](gitlab.yml) - Install and deploy GitLab on OCP.
 - [**OpenShift / EDA / Install Controller**](eda/install.yml) - Install and deploy EDA Controller instance using the AAP OpenShift operator.
+- **OpenShift / CNV /  Deploy Automation Hub and sync EEs and Collections** - Workflow Job Template to deploy a functional Automaiton Hub instance in OCP.
+    - [**OpenShift / Hub / Install Automation Hub**](hub/install.yml) - Install and deploy Automation Hub instance using the AAP OpenShift operator.
+    - [**OpenShift / Hub / Sync EE Registries**](hub/registries.yml) - Synchronize Execution Environments from console.redhat.com.
+    - [**OpenShift / Hub / Sync Collection Repositories**](hub/collections.yml) - Synchronize collections from console.redhat.com.
 - [**OpenShift / CNV / Install Operator**](cnv/install.yml) - Install the Container Native Virtualization (CNV) operator and all its required dependencies.
 - **OpenShift / CNV / Infra Stack** - Workflow Job Template to build out infrastructure necessary to run jobs against VMs in OpenShift Virtualization.
     - [**OpenShift / CNV / Create RHEL VM**](cnv/install.yml) - Install the Container Native Virtualization (CNV) operator and all its required dependencies.

openshift/cnv/provision_rhel.yml

@@ -94,4 +94,3 @@
         name: "{{ vm_name }}"
         namespace: "{{ vm_namespace }}"
         wait: true
-        wait_timeout: 240

openshift/gitlab.yml

@@ -101,21 +101,6 @@
       retries: 10
       delay: 30
 
-    - name: Get available charts from gitlab operator repo
-      register: gitlab_chart_versions
-      ansible.builtin.uri:
-        url: https://gitlab.com/gitlab-org/cloud-native/gitlab-operator/-/raw/master/CHART_VERSIONS?ref_type=heads
-        method: GET
-        return_content: true
-
-    - name: Debug gitlab_chart_versions
-      ansible.builtin.debug:
-        var: gitlab_chart_versions.content | from_yaml
-
-    - name: Get latest chart from available_chart_versions
-      ansible.builtin.set_fact:
-        gitlab_chart_version: "{{ (gitlab_chart_versions.content | split())[0] }}"
-
     - name: Grab url for Gitlab spec
       ansible.builtin.set_fact:
         cluster_domain: "apps{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST') | regex_search('\\.[^:]*') }}"
@@ -148,20 +133,3 @@
                       route.openshift.io/termination: "edge"
                 certmanager-issuer:
                   email: "{{ cert_email | default('nobody@nowhere.nosite') }}"
-
-    - name: Print out warning and initial details about deployment
-      vars:
-        msg: |
-          If not immediately successful be aware that the Gitlab instance can take
-          a couple minutes to come up, so be patient.
-
-          URL for Gitlab instance:
-          https://gitlab.{{ cluster_domain }}
-
-          The initial login user is 'root', and the password can be found by logging
-          into the OpenShift cluster portal, and on the left hand side of the administrator
-          portal, under workloads, select Secrets and look for 'gitlab-gitlab-initial-root-password'
-      ansible.builtin.debug:
-        msg: "{{ msg.split('\n') }}"
-
-...

openshift/host_vars/localhost.yml

@@ -1,2 +1,2 @@
 ---
-gitlab_chart_version: "8.5.1"
+gitlab_chart_version: "8.0.1"

openshift/setup.yml

@@ -245,34 +245,6 @@ controller_templates:
       - "OpenShift Credential"
 
 controller_workflows:
-  - name: OpenShift / CNV / Sync Hosts
-    description: A workflow to update dynamic CNV inventory and wait for hosts to become avilable
-    organization: Default
-    notification_templates_started: Telemetry
-    notification_templates_success: Telemetry
-    notification_templates_error: Telemetry
-    survey_enabled: true
-    survey:
-      name: ''
-      description: ''
-      spec:
-        - question_name: Specify target hosts
-          type: text
-          variable: _hosts
-          required: true
-          default: "openshift-cnv-rhel*"
-    simplified_workflow_nodes:
-      - identifier: Inventory Sync
-        unified_job_template: OpenShift CNV Inventory
-        success_nodes:
-          - Wait Hosts
-      - identifier: Wait Hosts
-        unified_job_template: OpenShift / CNV / Wait Hosts
-        failure_nodes:
-          - Second Inventory Sync
-      - identifier: Second Inventory Sync
-        unified_job_template: OpenShift CNV Inventory
-
   - name: OpenShift / CNV / Infra Stack
     description: A workflow to deploy Virtualized infra in OCP Virtalization
     organization: Default
@@ -296,10 +268,6 @@ controller_workflows:
           type: text
           variable: rh_subscription_org
           required: true
-        - question_name: Email
-          type: text
-          variable: email
-          required: true
     simplified_workflow_nodes:
       - identifier: Deploy RHEL8 VM
         unified_job_template: OpenShift / CNV / Create RHEL VM
@@ -348,15 +316,15 @@ controller_workflows:
         success_nodes:
           - Patch Instance
       # We need to do an invnetory sync *after* creating snapshots, as turning VMs on/off changes their IP
-      - identifier: Sync Hosts
-        unified_job_template: OpenShift / CNV / Sync Hosts
+      - identifier: Inventory Sync
+        unified_job_template: OpenShift CNV Inventory
         success_nodes:
           - Patch Instance
       - identifier: Take Snapshot
         unified_job_template: OpenShift / CNV / Create VM Snapshots
         success_nodes:
           - Project Sync
-          - Sync Hosts
+          - Inventory Sync
       - identifier: Patch Instance
         unified_job_template: OpenShift / CNV / Patch
         job_type: run

roles/requirements.yml

@@ -2,65 +2,45 @@
 roles:
   # RHEL 7 compliance roles from ComplianceAsCode
   - name: redhatofficial.rhel7-cis
-    src: https://github.com/RedHatOfficial/ansible-role-rhel7-cis
     version: 0.1.72
   - name: redhatofficial.rhel7-cjis
-    src: https://github.com/RedHatOfficial/ansible-role-rhel7-cjis
     version: 0.1.72
   - name: redhatofficial.rhel7-cui
-    src: https://github.com/RedHatOfficial/ansible-role-rhel7-cui
     version: 0.1.72
   - name: redhatofficial.rhel7-hipaa
-    src: https://github.com/RedHatOfficial/ansible-role-rhel7-hipaa
     version: 0.1.72
   - name: redhatofficial.rhel7-ospp
-    src: https://github.com/RedHatOfficial/ansible-role-rhel7-ospp
     version: 0.1.72
   - name: redhatofficial.rhel7-pci-dss
-    src: https://github.com/RedHatOfficial/ansible-role-rhel7-pci-dss
     version: 0.1.72
   - name: redhatofficial.rhel7-stig
-    src: https://github.com/RedHatOfficial/ansible-role-rhel7-stig
     version: 0.1.72
   # RHEL 8 compliance roles from ComplianceAsCode
   - name: redhatofficial.rhel8-cis
-    src: https://github.com/RedHatOfficial/ansible-role-rhel8-cis
     version: 0.1.72
   - name: redhatofficial.rhel8-cjis
-    src: https://github.com/RedHatOfficial/ansible-role-rhel8-cjis
     version: 0.1.72
   - name: redhatofficial.rhel8-cui
-    src: https://github.com/RedHatOfficial/ansible-role-rhel8-cui
     version: 0.1.72
   - name: redhatofficial.rhel8-hipaa
-    src: https://github.com/RedHatOfficial/ansible-role-rhel8-hipaa
     version: 0.1.72
   - name: redhatofficial.rhel8-ospp
-    src: https://github.com/RedHatOfficial/ansible-role-rhel8-ospp
     version: 0.1.72
   - name: redhatofficial.rhel8-pci-dss
-    src: https://github.com/RedHatOfficial/ansible-role-rhel8-pci-dss
     version: 0.1.72
   - name: redhatofficial.rhel8-stig
-    src: https://github.com/RedHatOfficial/ansible-role-rhel8-stig
     version: 0.1.72
   # RHEL 9 compliance roles from ComplianceAsCode
   - name: redhatofficial.rhel9-cis
-    src: https://github.com/RedHatOfficial/ansible-role-rhel9-cis
     version: 0.1.72
   - name: redhatofficial.rhel9-cui
-    src: https://github.com/RedHatOfficial/ansible-role-rhel9-cui
     version: 0.1.72
   - name: redhatofficial.rhel9-hipaa
-    src: https://github.com/RedHatOfficial/ansible-role-rhel9-hipaa
     version: 0.1.72
   - name: redhatofficial.rhel9-ospp
-    src: https://github.com/RedHatOfficial/ansible-role-rhel9-ospp
     version: 0.1.72
   - name: redhatofficial.rhel9-pci-dss
-    src: https://github.com/RedHatOfficial/ansible-role-rhel9-pci-dss
     version: 0.1.72
   - name: redhatofficial.rhel9-stig
-    src: https://github.com/RedHatOfficial/ansible-role-rhel9-stig
     version: 0.1.72
 ...

setup_demo.yml

@@ -16,9 +16,7 @@
 
     - name: Create common demo resources
       ansible.builtin.include_role:
-        name: infra.controller_configuration.dispatch
-      vars:
-        controller_dependency_check: false  # noqa: var-naming[no-role-prefix]
+        name: infra.aap_configuration.dispatch
 
 - name: Setup demo
   hosts: localhost
@@ -29,9 +27,7 @@
 
     - name: Demo Components
       ansible.builtin.include_role:
-        name: infra.controller_configuration.dispatch
-      vars:
-        controller_dependency_check: false  # noqa: var-naming[no-role-prefix]
+        name: infra.aap_configuration.dispatch
 
     - name: Log Demo
       ansible.builtin.uri:

tests/requirements.yml

@@ -1 +0,0 @@
-../execution_environments/requirements-25.yml

windows/create_ad_domain.yml

@@ -12,17 +12,14 @@
     - name: Update the hostname
       ansible.windows.win_hostname:
         name: "{{ inventory_hostname.split('.')[0] }}"
-      register: r_rename_hostname
 
     - name: Reboot to apply new hostname
-      # noqa no-handler
-      when: r_rename_hostname is changed
       ansible.windows.win_reboot:
         reboot_timeout: 3600
 
     - name: Create new domain in a new forest on the target host
       register: r_create_domain
-      microsoft.ad.domain:
+      ansible.windows.win_domain:
         dns_domain_name: ansible.local
         safe_mode_password: "{{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1) }}"
 
@@ -33,7 +30,7 @@
         file: tasks/domain_services_check.yml
 
     - name: Create some groups
-      microsoft.ad.group:
+      community.windows.win_domain_group:
         name: "{{ item.name }}"
         scope: global
       loop:
@@ -44,19 +41,17 @@
       delay: 10
 
     - name: Create some users
-      microsoft.ad.user:
+      community.windows.win_domain_user:
         name: "{{ item.name }}"
-        groups:
-          set:
-            - "{{ item.group }}"
+        groups: "{{ item.groups }}"
         password: "{{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1) }}"
         update_password: on_create
       loop:
         - name: "UserA"
-          group: "GroupA"
+          groups: "GroupA"
         - name: "UserB"
-          group: "GroupB"
+          groups: "GroupB"
         - name: "UserC"
-          group: "GroupC"
+          groups: "GroupC"
       retries: 5
       delay: 10

windows/group_vars/os_windows.yml

@@ -0,0 +1,5 @@
+---
+ansible_connection: winrm
+ansible_winrm_transport: ntlm
+ansible_winrm_server_cert_validation: ignore
+ansible_port: 5986

windows/helpdesk_new_user_portal.yml

@@ -10,7 +10,7 @@
         # Example result: ['&Qw2|E[-']
 
     - name: Create new user
-      microsoft.ad.user:
+      community.windows.win_domain_user:
         name: "{{ firstname }} {{ surname }}"
         firstname: "{{ firstname }}"
         surname: "{{ surname }}"

windows/join_ad_domain.yml

@@ -16,7 +16,7 @@
     - name: Ensure Demo OU exists
       run_once: true
       delegate_to: "{{ domain_controller }}"
-      microsoft.ad.ou:
+      community.windows.win_domain_ou:
         name: Demo
         state: present
 
@@ -26,7 +26,7 @@
 
     - name: Join ansible.local domain
       register: r_domain_membership
-      microsoft.ad.membership:
+      ansible.windows.win_domain_membership:
         dns_domain_name: ansible.local
         hostname: "{{ inventory_hostname.split('.')[0] }}"
         domain_admin_user: "{{ ansible_user }}@ansible.local"

windows/patching.yml

@@ -5,12 +5,6 @@
     report_server: aws_win1
 
   tasks:
-
-    - name: Assert that host is in webservers group
-      ansible.builtin.assert:
-        that: "'{{ report_server }}' in groups.os_windows"
-        msg: "Please run the 'Deploy Cloud Stack in AWS' Workflow Job Template first"
-
     - name: Patch windows server
       ansible.builtin.include_role:
         name: demo.patching.patch_windows

windows/setup.yml

@@ -40,6 +40,7 @@ controller_templates:
     inventory: "Demo Inventory"
     project: "Ansible Product Demos"
     playbook: "windows/patching.yml"
+    execution_environment: Default execution environment
     notification_templates_started: Telemetry
     notification_templates_success: Telemetry
     notification_templates_error: Telemetry
@@ -85,6 +86,7 @@ controller_templates:
     inventory: "Demo Inventory"
     project: "Ansible Product Demos"
     playbook: "windows/rollback.yml"
+    execution_environment: Default execution environment
     notification_templates_started: Telemetry
     notification_templates_success: Telemetry
     notification_templates_error: Telemetry
@@ -109,6 +111,7 @@ controller_templates:
     inventory: "Demo Inventory"
     project: "Ansible Product Demos"
     playbook: "windows/connect.yml"
+    execution_environment: Default execution environment
     notification_templates_started: Telemetry
     notification_templates_success: Telemetry
     notification_templates_error: Telemetry
@@ -417,7 +420,7 @@ controller_workflows:
         unified_job_template: Cloud / AWS / Create VM
         job_type: run
         extra_data:
-          create_vm_vm_name: dc01
+          create_vm_vm_name: dc01.ansible.local
           create_vm_vm_purpose: domain_controller
           create_vm_vm_deployment: domain_ansible_local
           vm_blueprint: windows_full
@@ -427,7 +430,7 @@ controller_workflows:
         unified_job_template: Cloud / AWS / Create VM
         job_type: run
         extra_data:
-          create_vm_vm_name: winston
+          create_vm_vm_name: winston.ansible.local
           create_vm_vm_purpose: domain_computer
           create_vm_vm_deployment: domain_ansible_local
           vm_blueprint: windows_core
@@ -437,7 +440,7 @@ controller_workflows:
         unified_job_template: Cloud / AWS / Create VM
         job_type: run
         extra_data:
-          create_vm_vm_name: winthrop
+          create_vm_vm_name: winthrop.ansible.local
           create_vm_vm_purpose: domain_computer
           create_vm_vm_deployment: domain_ansible_local
           vm_blueprint: windows_core
@@ -471,7 +474,7 @@ controller_workflows:
         job_type: run
         extra_data:
           _hosts: purpose_domain_computer
-          domain_controller: dc01
+          domain_controller: dc01.ansible.local
         failure_nodes:
           - Cleanup Resources
         success_nodes: